As per the reports, a series of cryptomining attacks, which initially attacked users in Brazil to create a growing mining botnet, was mapped by security researchers. These cryptomining attacks infected the compromised device with the malware.
The reports also revealed that the targeted devices of Mikrotik routers were not updated and had an outdated software patch.
Notably, the devices were prone to the attack and attackers were able to gain unauthenticated administrative access to the Mikrotik routers remotely as the company patched remote access vulnerability in April 2018.
Some security researchers who reverse engineered Mikrotik’s patch then published a proof-of-concept exploit explaining how to use the recovered vulnerability to access Mikrotik devices.
This information was used to infect the routers with code that loads the CoinHive browser-based cryptomining software.
This happens whenever users accessing the internet through the routers encounter an HTTP error and they are browsing via the Mikrotik proxy.
There have been at least three cryptojacking attacks from this vulnerability that have been noted by researchers so far. The first was recorded in Brazil and it reportedly affected more than 183,700 MikroTik routers.
Two other attacks that affected 16,000 and 25,000 MikroTik routers respectively mainly in Moldova were also recorded by another security researcher.
This indicates that this campaign that isn’t limited to one specific geographic region, which has worried analysts and researchers amid an overall growing trend.
Cryptojacking cases have exploded over the past couple of years and are emerging as one of the primary cybersecurity threats around the world, with cases on the rise even for traditionally safer operating security systems like Linux.
As is always the case around cybersecurity, users are being urged to be vigilant especially when accessing public networks. Analysts in the cybersecurity space have also been very clear; If you have a Mikrotik device apply a patch immediately and update any passwords.