A cryptojacking campaign affects more than 200,000 MikroTik routers

A researcher group from SpiderLabs (Trustwave) has found a new botnet consisting of more than 200,000 MikroTik routers, that injects a serie of Coinhive scripts to mine cryptocurrencies using the users devices connected to these routers (cryptojacking). This botnet started with 72,000 routers in Brazil, although in a very short time it began to infect devices all around the world until exceed the number of 200,000 committed routers.

The attacker took advantage of a 0-day vulnerability in the Winbox component of the routers that was discovered in April. MikroTik patched this exploit in less than a day (RouterOS v6.42.1 and v6.43rc4), but this does not mean that users have applied the patch, so it is very likely that the number of affected users will increase.

To solve this security failure this update must be installed, although for greater security, the factory settings of the router can be restored so that, in case of being infected, the exploit will be eliminated and, thanks to the patches, it is avoided that routers will be reinfected.

Update 14/09/2018: Researchers from the Chinese company Netlab.360 discovered that of the approximately 1.2 million existing MikroTik routers, about 370,000 are still vulnerable to the CVE-2018-14847 exploit and that between August 23 and 24 there were more than 7,500 compromised routers. In addition, on September 9, researcher Troy Mursch, through the Shodan tool, identified more than 3,800 committed routers, distributed between Brazil (2612), Argentina (480), Ecuador (214) and Colombia (120).