Report: More than 415,000 MikroTik routers corrupted with Cryptojacking malware

Dennis Wafula

December 6, 2018

Reports have emerged that MikroTik routers are selling corrupted routers. This follows similar revelations in August that indicated over 200,000 routers had been found infected with cryptojacking malware. Cryptojacking malware allows a remote user to steal the computing power of connected Personal Computers (PCs) to mine for cryptocurrency.

At the moment, the report says that the number has since doubled and is expanding. However, the threat is only to MikroTik users. According to the report from The Next Web, the number (415,000) might not necessarily be accurate because the data reads IP addresses seen to have been affected by cryptojacking scripts. However, the threat is real and is growing rapidly.

Threat Detection map

The Next Web laid out a threat detection heat map to show areas affected by the defective routers. Initially, most of the defective routers were discovered around Brazil. Brazil alone was hit by Coinhive attacks more than 81,000 times in October alone. India was second with 29,000 similar reports. Indonesia and Iran followed with 23,000 and 11,000 cases respectively.

However, as the infection threat expanded, other regions are becoming affected as well. These include: North America, South America, Africa, Europe, Asia and the Middle East. MikroTik routers are sold largely to Internet Service Providers (ISPs) and organizations. The recent surge in router cryptojacking malware shows that they had not adopted the latest router firmware.

Coinhive Script

Older versions of the router’s firmware are susceptible to malware attacks. The attackers are able to exploit internet users by injecting the coinhive script onto every page that one visits. “MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.” This is according to the National Vulnerability Database reports.

Additionally, attackers are changing tact to avoid being nabbed. They have recently taken to other mining software such as Omine and CoinImp to conceal their fraudulent activities. Bloomberg reports that such attacks have grown by 500% this year. This is after hackers were alleged to have stolen a code from the National Security Agency (NSA), targeting Microsoft Systems. CRYPTO IS COMING!

Subscribe to our newsletter The Raven’s Dispatch

Interested in other cool crypto content? Check out Interview with Cryptocurrency Analyst Murad Mahmudov and Hardware Wallet Review: Trezor Model T vs Nano Ledger S