Worldwide, it is believed that 415,000 routers are infected with malware and have the ability to steal resources to mine for cryptocurrency under the radar. MikroTik routers are amongst the most popular in the world. A majority of ISP’s and other organization use them, but at the rate that they are becoming infected, it is obvious they are not being updated by their users. A large amount of the devices that have been infected are in Brazil, but at this point infected devices have been seen all over the world. CoinHive is the primary software being used in these crypto-jacking attacks, with the attackers exploiting a directory traversal vulnerability which can be found in the WinBox interface of older MikroTik routers. When run correctly, unauthenticated attackers can read arbitrary files while authenticated remote attackers can write the files. Luckily, a patch has already been released by MikroTik.
Analyst Notes
If users own and operate a MikroTik router, it is suggested that they download and install the patch immediately. Users should also keep up with firmware updates as they are released, this will leave them less susceptible to these types of attacks. Routine checks can also be put in place to make sure that the router is functioning as it should and has not been compromised in any way.
