200,000 MikroTik Routers infected with Crypto Mining Malware

by Julie Splinters - -

Three massive malware campaigns exploiting more than 200,000 vulnerable MiktoTik routers have been revealed.

MikroTik vulnerable routers

Hackers behind the massive malware campaigns aim to secretly install cryptocurrency mining malware on devices connected to unpatched and vulnerable MiktoTik routers.[1]

MiktoTik is a Latvian network hardware provider operating across the globe. MiktoTik develops routers and wireless ISP systems since 1996.[2]

Already more than 210,000 routers compromised and the number is still increasing

According to security researchers that revealed the attack, the malware campaigns have already compromised more than 210,000 routers across the world and the number is still increasing.[3]

The vulnerability exploited by cybercriminals behind this malware campaigns was discovered back in April 2018. The flaw appears in the Winbox component of MikroTik routers and was patched within a day of its discovery.

This bug enabled a potential attacker to gain unauthenticated remote access to any unpatched router by MiktoTik.

The first and the biggest malware campaign so far was discovered by a security company Trustwave. Security researchers at Trutwave detected crypto jacking in Brazil. Attackers compromised more than 183,700 unpatched MikroTik routers.

After Brazil, the malware campaign started spreading on a global scale. Other hacker teams also found their way and started exploiting the MikroTik router bug.

Code used from CoinHive

Two similar malware campaigns were detected by Troy Mursch that infected 25,500 and 16,000 routers. The infected routers were located mostly in Moldova. The malicious cryptocurrency mining code was used from a CoinHive service.

The security researcher announced about the crypto jacking campaigns on Twitter,[4] on the 2nd of August. 

Three #cryptojacking campaigns targeting MikroTik routers.

Two using CoinHive, one using Crypto-Loot.

209,501 compromised devices.

The hackers behind the malware campaigns are injecting CoinHive’s Javascript into all of the websites that victim visits exploiting the MikroTik router vulnerability.

“The attacker created a custom error page with the CoinHive script in it” and “if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker,” says Trustwave researcher Simon Kenin.

It is worth to mention that the attackers are infecting a huge scale of devices at the same time, rather than going after not so popular websites or using sophisticated ways to insert malicious script on the computers.

There are hundreds of thousands of these (MikroTik) devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.

About the author

Julie Splinters
Julie Splinters - VPN service analyst

Julie Splinters is a VPN service analyst at Reviewedbypro.com, who specializes in VPN services and anti-spyware applications. Her major of English Philology and her passion for IT helped her choose the path of an IT writer.

Contact Julie Splinters
About the company Esolutions


now online
Like us on Facebook