415,000 Routers Worldwide Have Been Infected With Crypto-Jacking Malware

05/12/2018

The hype of cryptocurrency in general has faded, but there is no stop to the crypto-jacking epidemic.

Researchers have discovered that more than 415,000 routers in the world have been infected with malware designed for crypto-jacking, a method for stealing computing power to secretly mine cryptocurrency.

In particular, the malware infected MikroTik routers. In fact, the string of attacks can be dated back to July, when researchers discovered some 200,000 devices had been infected in Brazil.

By September, the total number of vulnerable devices had increased to a staggering 280,000, as the malware expanded to routers in North America, South America, Africa, Europe, the Middle East, and Asia.

Fast forward to December, the number has more than doubled since then.

Crypto-Jacking

However, it's worth noting that the number of hacked devices can be slightly off.

This is because the data only reflects IP addresses which are known to have been infected with crypto-jacking scripts. What this means, it wouldn’t be a surprise if the actual number of infected routers in total would be somewhere around 350,000 to 400,000.

According to the National Vulnerability Database about the flaw behind MiktroTik’s firmware:

"MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface."

While the hackers are favoring CoinHive's scripts. which software mines privacy-oriented Monero Cryptocurrency, the researchers found that there has been a shift to other mining software, like Omine and CoinImp.

Victims or owners of the vulnerable routers can protect themselves by downloading the latest firmware version available for their device.

Internet service providers (ISPs) can also help users battle the spread of malware by forcing over-the-air updates to the routers. But unfortunately, many ISPs simply won’t take actions to mitigate the attacks.

“Users should indeed update their routers, yet the biggest bunch of them are distributed by ISPs to their customers, who often have no idea what to do or how to update the router,” explained the researchers. "Often these distributed routers are limited in their rights as well, not allowing users to update the routers themselves."

“The patch for this specific problem has been out for months and I’ve seen ISPs with thousands of infections disappear from the list."

Here, despite the cryptocurrency bubble has burst, leading to an excess of graphics cards that were stockpiled during the height of the cryptocurrenct boom, crypto-jacking remains a serious security threat.