Affected users have been unknowingly mining Monero.
Brazil has been hit by an elaborate cryptocurrency mining attack that infected hundreds of thousands of routers across the country.
The attack, which is still ongoing, affects MikroTik routers specifically. In this instance, over 200,000 machines have been affected, creating a massive XMR-mining botnet across Brazil.
The perpetrators were able to infect devices with malicious code, surreptitiously running CoinHive in the background. For those unfamiliar, CoinHive is a popular Monero mining script which has become widely used to pool processing power to mine cryptocurrency – often for charity, but unfortunately, not this time.
This kind of attack is known as a zero-day – exploiting previously unknown vulnerabilities in code. This zero-day allowed for CoinHive to be run on every single page visited by exposed machines – potentially millions of websites loaded every day with secret cryptocurrency payloads.
The attack started earlier this week and is believed to be just in its early stages. BleepingComputer reports that a second attack was initiated, bringing the total number of machines affected to over 200,000.
Even though a patch for this vulnerability was issued by the manufacturer back in April, routers are often not up to date. This means that anyone with a MikroTik router is urged to immediately patch their routers.
Analysts fear it could spread to be a global epidemic. SpiderLabs research Simon Kenin, who has since been working to spread the word about the attack, was tipped off to the suspiciously high CoinHive traffic coming out of Brazil.
“Let me emphasize how bad this attack is,” he wrote in analysis. “There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.”
He further posits that this is really symptomatic of a wider trend across the internet. A few years ago, the world was in the grips of a ransomware plague. Awareness has increased so much that ballsy blackmail schemes are becoming harder to, uh, pull off.
Now, it seems as though, crypto-jacking with scripts like CoinHive are all the rage. Kenin further highlights this trend in his report:
Miners, on the other hand, can be a lot more stealthy, so while a single computer would yield more money from ransomware if the user ends up paying, an attacker would prefer to run a stealthy miner for a longer period of time. The plan being that at some point the mining would be as profitable as, if not more than, the one-time ransom payout.
So, just quickly, double check that you don’t have a MicroTik router. If you do – head directly to the manufacturer’s website and get an official update.