The exploit code for the CVE-2018-14847 vulnerabilities is becoming a commodity in the hacking underground, just after its disclosure crooks started using it to compromise MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.
Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.
Even if the vendor released a security fix that addresses the flaw in April, the number of not updated routers is still very high.
Last week. experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.
The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.
Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.
Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.
Now the researcher Troy Mursch noticed that the infected MikroTik routers from the latest campaign open a websockets tunnel to a web browser mining script.
“According to the researcher, the malware increases the CPU activity of an infected MikroTik router to about 80% and maintain it at this level.” reads a blog post published by BleepingComputer.
“This gives room for other tasks to run and mine for cryptocurrency at the same time, in the hope of keeping the activity hidden from the user.”
— Bad Packets Report (@bad_packets) September 10, 2018
The expert found 3,734 devices by querying Shodan for MikroTik routers running the mining tool, and the number is growing.
Most of the routers compromised in this campaign are located in Brazil (2,612) and Argentina (480).
Earlier August the researcher who goes online with the Twitter handle MalwareHunterBR uncovered a massive cryptojacking campaign that targeted MikroTik routers. The hackers aimed to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.
— MalwareHunterBR (@MalwareHunterBR) July 30, 2018
According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik routers.