Crypto Hackers Exploit MikroTik Routers To Mine Monero

Crime, News | August 6, 2018 By:

Over 170,000 MikroTik routers are reportedly being exploited by hackers to mine Monero, according to Chicago-based IT security company Trustwave.

At the end of July, Trustwave security researcher Simon Kenin noticed that routers manufactured by MikroTik, a Latvian company that develops wireless ISP systems, were showing a big surge in use of a program called Coinhive, which allows a user to mine Monero. Kenin reportedly found that all of the iterations of Coinhive were using the same key, which means that all of the mining rewards were being sent to one account.

According to Kenin, the hacker uses a zero-day in the Winbox component of MikroTik routers that was discovered in April. MikroTik patched the zero-day in less than a day, but this didn’t necessarily mean that router owners applied the required patch. Kenin said that there are hundreds of thousands of unpatched devices still out there, and tens of thousands of them are in Brazil alone.

“I have to emphasize that this attack is bad, I mean, very bad,” Kenin said. “There are millions of devices around the world that are served by these routers. Miners have chosen these secrets attacks because they are more beneficial to them than ransomware attacks that end as soon as the user pays the ransom. With these kind of attacks, users can continue to benefit continuously. Their goal is to keep mining until it becomes more profitable or as profitable as a ransomware payout.”

Independent security researcher Troy Mursch also observed a similar case in Moldova involving more than 25,000 MikroTik routers running CoinHive scripts. Mursch previously said that: “I think Coinhive was honestly a really good idea. It was supposed to be an alternative monetization method for websites. But now we can see it’s being abused. I’d say its malware.”

Even CoinHive admitted that its program had evolved into a malicious force. “We cannot deny the opinion of a user that we invented a whole new breed of malware,” CoinHive told the Suddeutsche Zeitung newspaper. “We are not proud of it.”