Brazil has been adversely affected by a crypto-mining attack that has exploited thousands of routing devices across the country. The still ongoing attack is specifically targeted towards MicroTik routers thus, creating an enormous Monero mining automated-network. The attack was initiated earlier this week and is still in its early stages. While many consider this attack could turn into a global epidemic, a report from Bleeping Computer states that the total number of machines affected in Brazil itself is over 200,000.
The offenders were able to penetrate the devices with malicious code and then implicitly running CoinHive, which is a Monero mining script that has been predominantly used to mine cryptocurrency for charity. This attack was classified as “zero day”, that is an attack when previously unknown vulnerabilities in code are exploited to take control of a device or network. This zero-day attack was used to run CoinHive on every single page which was visited by the hosts — the affected machines. Therefore, millions of websites were loaded with unknown crypto-payloads everyday.
An early patch was circulated by the MicroTik team to meet these vulnerabilities back in the month of April, which meant anyone with a MicroTik router was supposed to immediately patch it. However, it is apparent that most of the routers are not up to date.
Simon Kenin, a SpiderLabs research member, was tipped off when he noticed a suspiciously high amount of traffic on CoinHive from Brazil. Since the discovery of the attack, he has been working to spread the word across the community. He made a statement to clarify and emphasize the atrocities of this attack. He stated that there are thousands and thousands of these devices around the globe, which are being used by ISPs, organisations and businesses. Each device serves at least tens, if not less, hundreds of users daily. The scale of effect from this attack could be certainly understood.
He further suspects symptoms of a wider scale of animosity across the internet. Earlier it was all about ransomware, yet as awareness grew among the users, it is now difficult to pull off. Hence, hackers are deriving newer ways of cyrypto-jacking, with scripts like CoinHive, is becoming the rage. Every user must check if they are using a MicroTek router. If yes, head directly to their website and seek an official upgrade.