Microtek is a Latvian company that produces tech equipment such as routers and wireless ISP systems. Earlier this yea,r a vulnerability was detected in the device the company manufactures. This small vulnerability left users devices defenseless to attacks. Subsequently, a patch to fix the bug was released. Fortunately, for those users who had the good sense to update the software of their devices, they became immune to the potential threats, but the users who ignored the update have become a victim of cryptojacking. The subjects of this disaster are now unwillingly and unknowingly mining the cryptocurrency, Monero.
Coinhive, which is the mining service used to mine Monero is being installed on the devices of the users left prone to the attack due to inability to update their software on time. The error, which plagues these devices, is known as CVE-2018-14847. Tens of thousands of defenseless routers in Brazil were being attacked, however the situation has aggravated and the number of affected people is rising all over the globe. SpiderLabs, the security team at Trustwave, Tweeted;
Our researcher @Simon_Kenin has discovered a massive #IoT #cryptojacking campaign affecting tens of thousands of unpatched @mikrotik_com routers in Brazil and going global. Read more here: https://t.co/SfIz7KKcnc
— SpiderLabs (@SpiderLabs) August 1, 2018
This is how it works. The attacker gains access to user files by bypassing the authentication that should be intact and not modifiable and then is able to extract and modify files according to his desire. In this case, Coinhive was planted for the purposes of mining Monero.
This operation, which started in Brazil, is now expanding over to European countries. The Coinhive site key was initially used on 175,000 of the total devices in Brazil, but in Europe, a new key of the same mining script was incorporated effecting almost 25,000 routers. However due to the change in keys, the idea that one person was responsible for this, became dubious. The crypto enthusiast, Troy Mursch Tweeted;
Coinhive site key “oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4” is used in another #cryptojacking campaign targeting MikroTik routers. In this case, over 25,000 affected hosts are found on @censysio
— Bad Packets Report (@bad_packets) August 2, 2018
The SpiderLabs also reported that this kind of attack on the routers were more malicious than the attack that are made via sites. The attackers got access to a larger group of people. Hundreds and thousands of people and business corporations all over the globe are using these faulty devices. Due to this fault in the router, all these users became viable to attacks and malicious firmware.
What was initially targeted to Brazilians, is now spreading worldwide, this is due to lack of due vigilance by the users who have ignored the updates dispatched by the company. As the scale suggest, many people are still exposed.
Simon Kenin, a security researcher at SpiderLabs, stated;
There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses; each device serves at least ten if not hundreds of users daily.
One of the other points that makes this vulnerability so lethal is that because the access is provided through the router, that same router may or may not be connected to more than one devices making all those devices susceptible to potential threats as well. Simon further states;
As mentioned, servers that are connected to infected routers would also, in some cases, return an error page with Coinhive to users that are visiting those servers, no matter where on the internet they are visiting from.
In conclusion, it is suggested that the update that Microtek provided, should be installed without wasting any further time in order to secure the router and all user devices.