Story image

MikroTik routers in NZ may be at risk of cryptomining - Symantec

20 Aug 2018
Twitter
Facebook

Symantec has been tracking a large-scale coin mining campaign has currently infected about 157,000 MikroTik routers.

Cryptocurrency coinminers are the new ransomware and malicious actors have already pounced on the opportunity to make their fortune.

The coin mining was discovered in August and initially concentrated in Brazil.

However, it soon began infecting routers around the world, and MikroTik routers are available in New Zealand.

Mitigation

MikroTik has already published a patch to address CVE-2018-14847.

Symantec recommends users to install the patch on their routers if they have not done so already.

Users can also consider disabling the following services on their routers, if not required:

  • TELNET
  • SSH
  • FTP
  • WINBOX

These routers are used by many organisations and businesses, including internet service providers.

While MikroTik was prompt in patching CVE-2018-14847, unfortunately, poor patching practices by vendors and users mean that there are plenty of vulnerable routers still out there.

A router post-mortem

At the outset, the compromised router has multiple services running on it.

Interestingly, the infected router had the default web service disabled.

Pointing a browser to the infected router’s port 80 causes it to serve the Coinhive script responsible for coin mining.

But when the infected router is found in between a client sending a request and a server receiving it, this HTML page is only served when there’s an error.

This is because internally the router is configured with a firewall rule that helps serve this malicious HTML page.

Using network address translation (NAT), the firewall rule takes traffic bound to port 80 and redirects it to port 8080.

The router is also configured to run a default proxy server on port 8080 that’s responsible for serving the Coinhive script.

The script below is responsible for performing multiple malicious actions on the router including, but not limited to:

  • Enabling the proxy service
  • Adding the firewall NAT entry
  • Enabling Winbox, FTP, SSH services
  • Disabling the WWW service
  • Scheduling various tasks to remain persistent on the router
  • Adding a backdoor user with the name “ftu” to the FTP group

It’s likely that this script was downloaded using the inbuilt /tool fetch command and run using the /import command.

All the infected MikroTik routers (v6.29 to v6.42) that the Symantec Threat Intelligence encountered were running the Winbox service, which is known to be vulnerable to CVE-2018-14847.

When exploited successfully, this flaw can allow an attacker to bypass authentication and compromise the router.

After the router is compromised, the hackers can load their malicious error page, which is displayed any time a user accessing the internet via the router encounters an HTTP error.

Every time the error page is displayed, the victim is unknowingly mining Monero (XMR) for the hackers.

Story image
19 Aug
Govt support could turn NZ's game industry into billion-dollar boom
Grinding Gear Games’ hugely successful RPG Path of Exile has showcased the local gaming industry – last year Tencent purchased Grinding Gear Games for more than $100 million.More
Story image
20 Aug
Streaming service Disney+ coming to NZ – pricing and dates
The services will be another competitor entering the streaming market to compete with the likes of Netflix, Sky’s Neon offering, Lightbox.More
Story image
13 Aug
Amazon Alexa can now teach English and te reo Māori
“Learning works best when it’s interactive, so users can listen to the words in te reo and English and test their knowledge and pronunciation through the glossary and quiz."More
Story image
13 Aug
Prudential Corporation Asia launches next generation health app
A new app known as ‘Pulse’ has been launched by Prudential Corporation Asia to provide an AI-powered, 24/7 health partner to users, allowing them to better understand their personal health.More
Story image
19 Aug
Control your appliances with a D-Link mydlink Mini Wi-Fi Smart Plug
The device can be set to turn your TV off when you’re asleep, power on your coffee maker before you wake up, or automatically turn on your living room lamp while you’re on holiday.More
Story image
15 Aug
Know your motive: new research considers the next wave of robots
It's becoming crucial to consider that robots should be able to understand the motive of a task in the same way humans do, as this will enable machines to work more quickly and effectively, however this also indicates a significant shift in the world of robotics.More