This article originally appeared in 150sec.com on August 7, 2018.
At least three large-scale malware operations, known as Coinhive, that were attacking mainly Brazilian and Moldovan routers have been uncovered by security researchers. The hackers have been attacking Latvian-owned MikroTik routers and using the technology to install cryptocurrency miners on computers connected to the network in order to mine Monero cryptocurrency.
According to Hacker News, the attacks have affected over 210,000 routers and the amount continues to rise. What hackers were able to do was gain remote admin access to a MikroTik router by utilising a Winbox component.
MikroTik is a Latvian company headquartered in Riga which has been in business for over 20 years. Specialising in wireless ISP technology and routers, they provide hardware and software around the globe and boast of stability and flexibility in their technology.
Since the malware was detected, the company has written a blog about web service vulnerability and how to protect routers and get rid of malicious tools. However, with a user base mainly located in Brazil as well as China, Russia and Indonesia, it appears that a number of home users are neither aware that the malware occurred, or how to update their routers. It is also a piece of everyday technology that is seldom thought about by home-users and so manual updates appear unlikely.
Simon Kenin, a researcher for Trustwave first noticed that a campaign had been targeting Brazilian devices, eventually uncovering 183,700 hacked MikroTik routers. The exploitative methods that were being used by Coinhive malware also meant that people who visited websites linked to infected routers were also struck by the malware, which was using computers to mine cryptocurrency. It has also been reported that other hackers have begun to exploit the method which sees the hack continue to spread around the globe.
The way the malware works is by running in the background of error pages that internet users visit. Originally, it attacked every page that a user opened, however the amount of tabs meant that computers simply couldn’t handle the mining, which was counterproductive to what the hackers’ aims.
Since the leak, further malware has been discovered, which has seen the cryptocurrency mining process attack over 25,500 and then a further 16,000 routers across Moldova.
In response to the malware attack, Chris Olson, founder of The Media Trust, has slammed the hackers and was recently quoted saying, ‘‘In my opinion, this shows it is the work of a script kiddie with not much hacking experience.”