News & Comment: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers

Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic. Read Full Article: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers


Sean Newman, Director Product Management, Corero Network Security:

“The recent infection of over 200,000 MikroTik routers is another prime example of how easy life can be for bad actors to be successful with their nefarious activities.  And, in this case, we’re not talking about cheap IoT devices with vulnerabilities which are never addressed by the vendor.  This is another example of an exploit leveraging a vulnerability that was rapidly fixed, in a new software release from the vendor, but most deployed devices remain vulnerable as their owners have not been aware of, or able to carry out, the upgrade.

In this case, the routers were exploited to deliver a crypto-mining payload but, the same approach could have just as easily leveraged them for other objectives, including data exfiltration or DDoS attacks.  From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service.

The challenge of unpatched devices is a hard one for the equipment vendors to solve, especially as, in many cases, they don’t actually know who the end-users are, so cannot reach out to them directly and notify them of critical software updates.  This evolving pool of Internet-connected devices, easily exploited by cybercriminals, is a key reason why organizations need to ensure they are deploying the latest cyber-security defences, whether that’s detecting crypto-jacking within their network or being able to defend from crippling DDoS attacks, in real-time.”