Massive router hack used to spread CoinHive cryptomining script

Researchers at Trustwave have uncovered an attack on tens of thousands of MikroTik routers which is being used to embed CoinHive cryptominer scripts in websites.

A surge in CoinHive actvity in Brazil at the start of this week alerted researchers that something was happening. Further investigation showed that MicroTik devices were at the root of the problem and all were using the same CoinHive site key.

MikroTik routers are used mainly by internet providers and big organizations, allowing the attack to reach large numbers of users. The attack is believed to have affected at least 70,000 routers in Brazil and potentially tens of thousands of routers in other geographies, suggesting that this campaign is growing.

The exploit uses a vulnerability patched by MikroTik on April 23rd. Although the patch was released by the company within a day of its discovery, there are hundreds of thousands of unpatched devices still out there, and tens of thousands of them are in Brazil alone.

Rather than run malicious code on the router itself, the device's functionality is used to inject the CoinHive script into every webpage that a user visits. Each time a user receives an error page of any kind while web browsing, they will get a custom error page which will mine CoinHive for the attacker.

Trustwave's security researcher Simon Kenin says,

There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.

Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we're still talking about potentially millions of daily pages for the attacker.

You can find more details of the attack on the Trustwave blog.

Image credit: stevanovicigor/depositphotos.com