Researchers have discovered a massive cryptojacking campaign that is targeting MikroTik routers. The campaign started during this past week and was mainly active in Brazil, however it has started targeting MikroTik routers worldwide more recently. During the first stage of the attack, the attacker had compromised roughly 72,000 MikroTik routers utilizing a zero-day in the Winbox component of the routers. The zero-day was discovered in April earlier this year and a patch was released for it, along with a PoC (proof of concept). The attacker used the PoC to his advantage allowing him to change the configuration to inject a malicious copy of the Coinhive in-browser cryptocurrency mining script in some parts of the victims’ web traffic. According to researchers, “we know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.” It is worth noting that non-MikroTik routers have also been seen to be impacted as well. Since the attacker has been injecting the Coinhive script into a lot of web traffic, it has brought a lot of attention to him. This caused him to switch tactics and only inject the script in error pages that are returned by the routers. It is now believed that the attacker has compromised 200,000 routers.
