The security flaw known as CVE-2018-14847 in MikroTik routers is still being exploited by hackers that install the Coinhive cryptocurrency mining script in websites that users of these routers visit. It has been over four months since MikroTik had released the patch for this security flaw. But the users who ignored the update are now being turned into involuntary miners of Monero.
According to SpiderLabs, tens of thousands of unpatched routers were affected in Brazil and that number is going and spreading globally.
The security flaw in MikroTik Ethernet and Wi-Fi routers allow the attackers to read and modify arbitrary files. This is the real world case in which the manufacturers are proactively patching the security flaws, but the users just ignore those patches and go on with their day.
This ignorance then leads to the attacks spreading all over the world, potentially affecting hundreds of thousands of users.
It all Started in Brazil
The attackers were very smart with the execution of this attack. At first, the <ahref=”https://www.coindigital.com/tag/coinhive/”>Coinhive key was found in 175,000 routers that were mainly in Brazil. But after the patch was released, a new key popped up of the same mining script in routers that affected an additional 25,000 routers in Moldova. According to Troy Mursch, this might be a new phase of the attack, or it might be a copycat of the previous attacker.
So how are these two attacks different?
In the first attack, the Coinhive scripts were injected into all the web pages that the user visited. But in the second attack, the attacker only chose to inject the code in custom error pages. Not only that, the attacker went one step ahead to avoid detection by issuing cleanup commands after compromising the routers. This helped them reduce the footprint that they leave.
It seems like the attack is only targeted at routers in Brazil, but it is quickly spreading to other countries. It is estimated that a significant number of MikroTik routers are still unpatched around the world even after four months since the release of the security fix.
The reason why this attack is spreading so fast is because it works both ways. If there are websites that are hosted on compromised devices, the script will inject itself on these websites. And any user that is visiting these websites with devices that are not vulnerable, will also be infected, regardless of their geo-location.
SpiderLabs wrote in a blog post:
“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily. As mentioned, servers that are connected to infected routers would also, in some cases, return an error page with Coinhive to users that are visiting those servers, no matter where on the internet they are visiting from.”