Mass Crypto-Jacking Attack In Brazil Affects More Than 200,000 Routers

31/07/2018

An elaborate cryptocurrency mining attack has infected more than 200,000 of routers across Brazil.

First discovered by July 31st, the attack affects MikroTik routers. To be able to do this, the attacker exploited previously unknown vulnerabilities in code (zero-day attack) to infect the devices with malicious codes, making them run CoinHive's XMR-mining botnets.

The patch for this vulnerability has been issued, but apparently, many of MikroTik router owners did not frequently update their device.

Analysts fear that the attack could spread to reach more countries, since there are suspiciously high activities coming from CoinHive traffic in Brazil.

Monero Brazil

"I saw that all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity," reports Simon Kenin, who first discovered the attack. "I looked for the CoinHive site-key used on those devices, and saw that the attacker indeed mainly focused on Brazil."

"Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices."

"There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily."

"I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale."

Previously, the world experienced ransomware plague where many users were locked out of their devices. While ransomware attacks are still initiating in several places, but the wider trend has shifted to crypto-jacking.

The malicious cryptocurrency mining technique has been rapidly replacing traditional forms of ransomware, because they can be more stealthy and more profitable: the longer period the miners work without having the users know, the more money the attacker can earn.

The cryptocurrency community is struggling to figure out how to stop the ever-growing amounts of cryptojacking, as many malware authors can limit CPU utilization, or ensuring that mining operations only take place during specific times of the day or when the user is inactive.

Additionally, crypto-jacking malware can be delivered using a large number of methods, requiring defenders to have an in-depth approach to security.

It is estimated that as many as 55 percent of businesses worldwide are prone to this attack, and about 5 percent of cryptocurrency Monero in circulation had been mined through malicious mining software.