Routers around the world may be infected with cryptojacking malware

Routers around the world may be infected with cryptojacking malware

415,000 routers worldwide reportedly infected with cryptojacking malware.

On a global scale, about 415,000 routers could be affected by cryptojacking (an act, in which attackers use the victim’s computing power to mine cryptocurrencies), according to security researcher VriesHD. The number of affected routers has more than doubled since the malware was initially discovered in August. At the time, it was reported that around 200,000 routers were affected.

Just three different ways to abuse vulnerable Mikrotik routers to try to mine cryptocurrencies. Total combined 415 thousand results. Many more ways active. — Kira 2.0 (@VriesHd) December 2, 2018

While attackers used to favor CoinHive – a mining software for privacy-coin Monero – there has been a significant shift to other mining software, such as Omine, VriesHD told The Next Web. Even though the malware threat is expanding, it only affects users who use MikroTik routers. “It is worth pointing out that the number of breached devices might be slightly off, since the data reflects IP addresses known to have been infected with cryptojacking scripts,” The Next Web reported. “Still, the total amount of compromised routers is still pretty high.”

What vulnerability did this cryptojacking campaign exploit?

The cryptojacking campaign exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS. The vulnerability, which doesn’t have the typical CVE identifier, was disclosed in April 2018 and accordingly patched.

Winbox enables users to remotely configure their devices online. Successfully exploiting the vulnerability would let attackers use tools that can connect to the Winbox port (8291) and “request access system user database files.”

How can this threat be thwarted?

Fortunately, it’s possible to prevent cryptojacking with a few security tips and tricks. In case a router gets infected (you can try this router checker by cybersecurity giant F-Secure), one should immediately install the latest firmware update for the router.