Cryptocurrency miner hits IoT devices, mostly affects Brazil and Russia!

  • 21
    Shares

According to a blogpost published on Aug 1, 2018, 200,000 routers in Brazil were compromised to deliver Cryptocurrency mining scripts to mine Monero (XMR) cryptocurrency. Hackers compromised the vulnerable MikroTik routers by injecting CoinHive scripts into the routers web pages in order to carry out the mass Cryptocurrency miner attack. The IDS/IPS research team at Quick Heal Security Labs was observing the attack and soon started digging into the telemetry to find out the traces of the attack. The data mining effort landed us on traces of the attack observed at our customers which were completely blocked by Quick Heal’s IDS/IPS solution.

The telemetry data recorded the hits for IDS/IPS signatures from the period July 30, 2018, to Aug 4, 2018. We did not see hits after Aug 4, 2018. We believe the infected routers were cleaned up and patched against the vulnerability which led to the attack.

Fig 1. IDS/IPS signature hits

Fig 1. IDS/IPS signature hits

The compromised URLs accessed were having a typical structure like this:

https://<Router IP Address>/<Random String>.php

The sample URL set received in telemetry looks like below.

Fig 2. Compromised URL telemetry

Fig 2. Compromised URL telemetry

At the time of the analysis, the compromised pages did not deliver the Cryptocurrency miner code as most of them were down. A typical injected CoinHive JavaScript looks like the below:

Fig 3. CoinHive Injection

Fig 3. CoinHive Injection

To know more about how CoinHive cryptocurrency works read this blogpost.

The fingerprint of one the router is shown below which clearly indicates the device being of MikroTik.

Fig 4. Fingerprint of compromised IP – MikroTik device

Fig 4. Fingerprint of compromised IP – MikroTik device

The most affected country was Brazil followed by Russia. We also saw countries like Vietnam, the Republic of Moldova and the United States being affected.

Fig 5. Affected Countries

Fig 5. Affected Countries

This shows the intensity of the mass router compromise which in turn would have affected many users. This also shows the importance of patching the well-known vulnerabilities. There is a challenge to update the routers or IoT devices but we strongly recommend to get familiar with the upgrade process for various IoT devices and regularly update them with the latest patches. Even though the MikroTik had issued a patch against this vulnerability in April 2018, the affected devices were not patched which led to this massive router compromise. To defend against such attacks, it’s really important to patch all sorts of devices.

Quick Heal IDS/IPS Detection

  • HTTP/CoinhiveMiner.UN!KP.4461 – Coinhive miner requests

Reference

https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/

Subject Matter Expert

Pradeep Kulkarni | Quick Heal Security Labs

Pradeep Kulkarni

Pradeep Kulkarni


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image