Poor patching practices by vendors and users are once again coming back to bite users around the world, as a researcher discovered a cryptominer being spread to unpatched MikroTik routers.
The Coinhive malware was first found spreading through routers in Brazil. Simon Kenin, security researcher for Trustwave, based in Chicago, discovered the Coinhive malware infection originating from Brazil and first assumed it was a more common website compromise attack to inject the cryptomining code. But more digging revealed the infection was spreading through MikroTik routers.
Kenin said malicious actors were exploiting a vulnerability in the routers that MikroTik had patched in April — just one day after the flaw was first discovered.
“The exploit targets Winbox and allows the attacker to read files from the device … but the bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router,” Kenin wrote in his analysis. “Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.”
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, based in Sunnyvale, Calif., noted that MicroTik has deployed approximately 1.7 million units around the world — “mostly in Brazil, China, Russia and Indonesia” — and explained why the victims may not have patched.
“Most routers, unfortunately, lack the ability to auto-update, and very few users, especially home users, know how or when to patch the firmware on their router,” Hahad wrote via email. “One of the biggest failures of security vendors that provide small-office [or] home-office routers is not including an auto-update feature by default, regardless of the technical difficulties lying around potentially taking the router offline during the update process.”
Chris Olson, founder and CEO of The Media Trust, based in McLean, Va., agreed infections like the Coinhive malware could prey on poor patching habits.
“The average user will likely plug in their router and forget about it until something goes awry,” Olson wrote via email. “Routers are like electricity and water: Unless service is disrupted, they receive little to no attention. Because they are often ignored, they make the perfect attack vector.”
Coinhive malware infections
Chris OlsonCEO, The Media Trust
Kenin said the Coinhive malware creates and injects a custom error page for every webpage visited by a user through an infected router.
“So if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker,” Kenin wrote. “The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.”
Experts noted that this method of spreading the Coinhive malware to every site visited was unusual.
Sean Newman, director product management at Corero Network Security, based in Marlborough, Mass., said the Coinhive malware “is not something we’ve specifically seen before.”
“However, it does combine well-known exploit mechanisms, though in a novel way that is well-suited to the practice of cryptojacking,” Newman wrote via email. “And, in this case, we’re not talking about cheap IoT devices with vulnerabilities which are never addressed by the vendor. In this case, the routers were exploited to deliver a cryptomining payload, but the same approach could have just as easily leveraged them for other objectives.”
Olson agreed this method of spreading malware would be more common with the creation of a botnet, and Hahad noted the Coinhive malware might not be the most efficient way of cryptomining.
“Every browser tends to have several open tabs that connect to several sites at once. Duplicating the Coinhive mining script so heavily would bring any computer to its knees in seconds, defeating the very purpose of the attack,” Hahad wrote. “Once tweaked to only inject error pages, the issue was mitigated. But, again, the effectiveness is now dramatically reduced, because people do not hit error pages very often. In my opinion, this shows it is the work of a script kiddie with not much hacking experience.”