In early August security researchers discovered a large malware campaign under way taking advantage of a now patched vulnerability within MikroTik routers.
Why should this threat be considered important?
This attack is underway since while a patch for an exploit for the Winbox component of the RouterOS being open was patched in one day (on the 23rd of April); there are many users who have not installed this update. The number is estimated to be in the hundreds of thousands including internet service provider (ISP) routers). Once exploited the vulnerability allows an attacker to gain remote administrative (high privilege) access to an affected router. Initially this attack originated in Brazil but has since been extended to over 200k devices worldwide (with a second attack). It’s unclear if its by the same perpetrator as the first attack.
Proof of concept (defined) code made available on GitHub has been modified by unknown attackers to add to all traffic passing through a vulnerable MikroTik router a copy of the Coinhive library along with the relevant Coinhive key to benefit a single attacker by means of cryptocurrency mining (an excellent introduction article to BitCoin and cryptocurrency). This attack isn’t just affecting MikroTik routers; Simon Kenin from Trustwave’s SpiderLabs division found that traffic going to and from a MikroTik router was affected e.g. if a website was hosted behind an affected router it would also be impacted.
More recently the attacker has altered his/her approach to adding the Coinhive script to the error pages of the routers rather than the more noticeable approach described above. That altered approach affects more than 170k routers. These error pages can potentially be accessed millions of time per day earning the attacker funds for each page served. With approximately 1.7 million of these routers online around the world there is the potential for this to get worse.
How can I protect myself from this vulnerability?
If you own/administer a MikroTik router or know someone who does, please ensure that any such devices are using the most recent firmware available from this link. Further advice after upgrading the firmware is also provided by MikroTik at the above link.