Blockchain & Cryptocurrency , Endpoint Security , Internet of Things Security

Router Cryptojacking Campaigns Disrupted

20,000 Hacked MikroTik Routers in Southeast Asia Were Malware-Infected
Router Cryptojacking Campaigns Disrupted

Nearly 16,000 malware-infected MicroTik routers have been scrubbed of Coinhive cryptojacking code thanks to an international police operation.

See Also: Gartner Insights: Uncover, Investigate, and Respond to Endpoint Threats with EPPs

The international law enforcement agency Interpol says it launched Operation Goldfish Alpha in June 2019 to target 20,000 hacked routers in Southeast Asia that were being used to mine for cryptocurrency, as well as to raise awareness in the region of the threat posed by cryptojacking.

By the end of November 2019, Interpol reports, that the number of infected devices had been reduced by 78 percent.

Tokyo-based security firm Trend Micro, which assisted with the operation, says the 20,000 routers had all been built by Latvian manufacturer MikroTik and later infected with Coinhive, a small piece of JavaScript designed to mine for monero.

Cryptojacking refers to the unauthorized, hidden use of computing power to mine for cryptocurrency. Some schemes have focused on using identity theft to purchase on-demand cloud computing power to run cryptominers (see: Singapore Man Charged in Large-Scale Cryptomining Scheme). But security experts say the majority of such attacks focus on infecting PCs and servers - as well as mobile and internet of things devices - with cryptomining malware (see: Criminals' Cryptocurrency Addiction Continues).

What cryptojacking might seem like a victimless crime, experts say otherwise.

"Affected users will notice their device slowing down due to the high CPU usage in addition to higher electricity bills," Troy Mursch of Chicago-based threat intelligence firm Bad Packets has told Information Security Media Group. "This process also generates a lot of heat, and we've seen physical damage in some cases with mobile devices." (See: Cryptojacking: Mitigating the Impact.)

Operation Goldfish Alpha

Interpol says Operation Goldfish Alpha was run by its Association of Southeast Asian Nations Cyber Capability Desk. ASEAN comprises 10 countries in Southeast Asia: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Collectively they have a population of 650 million people (see: Vietnamese APT Group Targets BMW, Hyundai: Report).

Craig Jones, Interpol’s director of cybercrime, speaking in Singapore for the launch of Operation Goldfish Alpha (Photo: Interpol)

"During the five months of the operation, cybercrime investigators and experts from police and national computer emergency response teams across the 10 ASEAN countries worked together to locate the infected routers, alert the victims and patch the devices so they were no longer under the control of the cybercriminals," Interpol says. "Interpol’s ASEAN Desk facilitated the exchange of information and follow-up actions amongst the countries involved."

Interpol says private-sector support from two Japan-based firms was key to the success of the operation. "Private sector partners, including Cyber Defense Institute and Trend Micro, supported the operation through information sharing and analysis of cryptojacking cases, and providing the participating countries with guidelines for patching infected routers and advice on preventing future infections," it says. "The National Cyber Security Center of Myanmar also issued a set of good cyber hygiene guidelines for protecting against cryptojacking."

Trend Micro says that it briefed ASEAN law enforcement officers in June 2019 about information gleaned from its research into attack and infection trends.

"A few months later, we developed and disseminated a key 'Cryptojacking Mitigation and Prevention' guidance document," Trend Micro says in a blog post. "It details how a vulnerability in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware."

Trend Micro says that the guide pointed to its free HouseCall for Home Networks software that "can be used to detect and delete the Coinhive JavaScript that hackers were using to mine for digital currency on infected PCs" and connected devices.

“When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated,” says Craig Jones, Interpol’s director of cybercrime. “By combining the expertise and data on cyber threats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime."

Repeat Target: Unpatched MikroTik Routers

MikroTik routers have been a repeat target for cryptomining rings, in part because many users have yet to patch them to fix exploitable flaws.

Snapshot of mining activity for one of the distributed monero keys being used to infect MikroTik routers in 2018 (Source: Avast)

In April 2018, for example, MikroTik had quickly patched a zero-day flaw, designated CVE-2018-14847, that attackers can use to gain full access to a vulnerable router. Exploiting the flaw can give them access to Winbox, a simple GUI administration utility for MicroTik's RouterOS, as well as to Webfig, which is the web-based version of the utility.

But patching lagged. By September 2018, Bad Packets reported that it was seeing at least "80 unique cryptojacking campaigns targeting vulnerable MikroTik routers," and that more than 209,000 carrier-grade MicroTik routers had been infected with one of two different types of software - Coinhive and Crypto-Loot - that mine for cryptocurrency (see: Cryptojackers Keep Hacking Unpatched MikroTik Routers).

Would-be attackers have also been able to use free tools - such as MikroRoot, available on GitHub - to scan the internet for vulnerable routers and automatically take control of them.

On Thursday, IoT device search engine Censys counted more than 26,000 Coinhive-infected MikroTik routers around the world, including 745 in the United States.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.