On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.
After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.
Figure 1: Shodan query of MikroTik devices in Brazil with CoinHive that returns over 70,000 results
This could be a bizarre coincidence, but on further inspection I saw that all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity. I looked for the CoinHive site-key used on those devices, and saw that the attacker indeed mainly focused on Brazil.
Figure 2: Shodan query for the CoinHIve sitekey used by the attacker
My first thought was that on such a large scale that could be a zero day exploit, possibly in the MikroTik HttpProxy component, so my next step was to check whether anyone else also noticed this, since during the conference I had limited time and internet access to keep up with daily news.
Google didn't produce many results, but the few that did come up were actually quite useful in helping me pinpoint the attack vector and what the attacker did.
For example, this result show injection of CoinHive on a hospital website in Brazil. However this webserver runs Apache, which contradicted my initial thought of an exploit directly in MikroTik HttpProxy:
Figure 3: Brazilian hospital returning a page with CoinHive
After doing some querying on Shodan I actually found the hospital's MikroTik device, so perhaps it is an issue with MikroTik, but not necessarily with the HttpProxy. So there I was, back at square one with a huge surge of CoinHive hits in Brazil but no idea where and how it originated, and back to my Google results I went to see what else they had to offer.
I found the following post on Reddit:
Figure 4: Google translated image of the Reddit post
I used Google Translate to try and understand what was written. In the post the author complains that every page they visit injects the CoinHive code, and that neither changing the DNS nor removing the router altogether fixes the issue, so we can suspect that there's a bigger issue at hand.
At this point it's worth noting that MikroTik routers are used by Internet providers and big organizations, and in this case it seem that the Reddit post's author's ISP had their router compromised, same as the router of the hospital I mentioned earlier in the post.
Figure 5: Google translated image of a reply from the post author
Ok, very interesting, something is definitely is going on with MikroTik devices in Brazil, but what?
Third time's a charm: the following tweet I found on Google helped solve the mystery.
This tweet was tweeted one day earlier mentioning this attack, but back then the numbers were much lower:
Figure 6: An Image from the tweet from @MalwareHunterBR
In the tweet the author mentions the exploit used, but it was not a zero day, the exploit was for a vulnerability patched by MikroTik on April 23rd. To MikroTik's credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone.
The exploit targets Winbox and allows the attacker to read files from the device. You can read the details in the dissection above, but the bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router.
Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device's functionality in order to inject the CoinHive script into every web page that a user visited.
How was this done?
For starters, all those pages I saw in Shodan are actually error pages of the webproxy, so the attacker created a custom error page with the CoinHive script in it:
Figure 7: The attacker creates a custom error.html page in the file system
Figure 8: The contents of the error.html file
So if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker. This is likely the scenario I witnessed when looking at the hospital CoinHive incident in figure 3.
The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router's network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.
But as reported by the user on Reddit, in their case every page would be returned with CoinHive code inside which isn't explained by the above scenario. Further investigation found this script:
Figure 9: Contents of "script3_"
Figure 10: A user connects to the router wireless network, and at the same second the script executed
As can be seen in the picture above, a user connects to the wireless network and the script is executed right away.
Unfortunately the content of mikrotik.php is unknown as the file no longer exists on the attacker's server. It could be the script that injects CoinHive into every html page, how this is done exactly we don't know yet, however the attacker is clearly showing a high level of understanding of how these MikroTik routers work.
This can be seen in the persistence mechanism of the attacker:
Figure 11: Scheduled tasks added by the attacker
The attacker scheduled a task which connects to another host "min01.com" and fetches a new "error.html" file. This was probably put in place in case CoinHive blocked the attacker's current site-key and it had to be replaced with another.
The attacker also scheduled a task which downloads and executes a script written for MikroTik routers named "u113.rsc". When we checked the script was just being used as a placeholder, but it's clearly a way for the attacker to send additional commands to all compromised devices at their disposal.
Figure 12: At the time of writing the update script would wait 1 second and finish
We also identified the script the attacker uses when they find a new vulnerable router:
Figure 13: Commands which are executed when the router infected
We can see that the script modifies some system settings, enables the proxy, fetches the custom error pages and creates the scheduled tasks for updating if needed. A backdoor account named "ftu" is created as well.
I noticed this script being updated a few times while working on this blog. The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected.
Finally, a keen eye might notice that in this code there is no mention of "script3_" which I talked about earlier in the blog. This script existed in earlier iterations, I suspect that the injection of CoinHive into every page made too much noise and (hopefully) with other parties also investigating this the attacker is trying to lay low.
This is a trend we've been seeing a lot of over the last three years, as attackers shift from ransomware into the world of miners. Ransomware awareness has increased significantly so, in many cases, even if an attacker manages to encrypt files users these days have backups. This means that they don't pay the ransom as frequently as they used to.
Miners, on the other hand, can be a lot more stealthy, so while a single computer would yield more money from ransomware if the user ends up paying, an attacker would prefer to run a stealthy miner for a longer period of time. The plan being that at some point the mining would be as profitable as, if not more than, the one-time ransom payout.
This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible, this attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.
Figure 14: Censys.io reports over 170,000 MikroTik devices with the CoinHive site-key
Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.
There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.
Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we're still talking about potentially millions of daily pages for the attacker.
As mentioned, servers that are connected to infected routers would also, in some cases, return an error page with CoinHive to users that are visiting those servers, no matter where on the internet they are visiting from.
Compromised MikroTik customers that have Trustwave SWG connected to the router will see a huge spike in CoinHive blocks.
Stay tuned for possibly more details as we continue to analyze this attack.