Symantec Threat Intelligence – New Zealand routers may be at risk, Symantec recommends action
Post-mortem of a Compromised MikroTik Router
Symantec has been tracking a large-scale coin-mining campaign has currently infected about 157,000 MikroTik routers.
Cryptocurrency coinminers are the new ransomware and malicious actors have already pounced on the opportunity to make
their fortune.
The coin-mining was discovered in August and initially concentrated in Brazil. However, it soon began infecting routers
around the world, and MikroTik routers are available in New Zealand.
Protection
The following Symantec intrusion prevention system (IPS) detections blocked this coin-mining campaign from day one:
•Web Attack: JSCoinminer Download 6 (30356)
•Web Attack: JSCoinminer Download 8 (30358)
Mitigation
MikroTik has already published a patch to address CVE-2018-14847. Symantec recommends users to install the patch on
their routers, if they have not done so already. Users can also consider disabling the following services on their
routers, if not required:
1. TELNET
2. SSH
3. FTP
4. WINBOX
These routers are used by many organisations and businesses, including internet service providers. While MikroTik was
prompt in patching CVE-2018-14847, unfortunately poor patching practices by vendors and users mean that there are plenty
of vulnerable routers still out there.
A Router Post-mortem
At the outset, the compromised router has multiple services running on it. Interestingly, the infected router had the
default web service disabled.
Pointing a browser to the infected router’s port 80, causes it to serve the Coinhive script responsible for coin mining.
But when the infected router is found in between a client sending a request and a server receiving it, this HTML page is
only served when there’s an error. This is because internally the router is configured with a firewall rule that helps
serve this malicious HTML page. Using network address translation (NAT), the firewall rule takes traffic bound to port
80 and redirects it to port 8080. The router is also configured to run a default proxy server on port 8080 that’s
responsible for serving the Coinhive script.
The script below is responsible for performing multiple malicious actions on the router including, but not limited to:
• Enabling the proxy service
• Adding the firewall NAT entry
• Enabling Winbox, FTP, SSH services
• Disabling the WWW service
• Scheduling various tasks to remain persistent on the router
• Adding a backdoor user with the name “ftu” to the FTP group
It’s likely that this script was downloaded using the inbuilt /tool fetch command and run using the /import command.
All the infected MikroTik routers (v6.29 to v6.42) that the Symantec Threat Intelligence encountered were running the
Winbox service, which is known to be vulnerable to CVE-2018-14847. When exploited successfully, this flaw can allow an
attacker to bypass authentication and compromise the router. After the router is compromised, the hackers can load their
malicious error page, which is displayed any time a user accessing the internet via the router encounters an HTTP error.
Every time the error page is displayed, the victim is unknowingly mining Monero (XMR) for the hackers.
For more information and images please visit the Symantec Threat Intelligence Blog.