Cryptojacker Campaign Hits MikroTik Routers

  /     /     /  
Publicated : 23/11/2024   Category : security


Cryptojacker Campaign Hits MikroTik Routers


More than 200,000 routers hit with a sophisticated cryptomining attack that appears to be spreading.



In March, routers from Latvian manufacturer MikroTik were hit by an advanced threat dubbed Operation Slingshot. The company patched for the threat, but now a new cryptomining attack has hit MikroTik routers and appears to be spreading rapidly.
The original
Operation Slingshot campaign
was spyware that was able to gather screenshots, keyboard data, network data, passwords, various desktop activity, the clipboard, and more without ever using a zero-day exploit. Instead, the attack took advantage of two modules that were able to implant themselves in a targeted router. Those modules were accompanied by very sophisticated detection evasion techniques that included shutting down the attack if certain forensic activities were detected. Nevertheless, the attack was discovered and countered.
This time around, researchers have found a new
MikroTik-targeting cryptojacking campaign
that began with routers in Brazil and is now spreading beyond those borders. The campaign, which injects cryptomining software into traffic transiting an infected MikroTik router, was so successful that the performance hit was what drew attention to the attack; the threat actor then shifted strategies to only inject the miner through router-based error pages.
According to researchers at Trustwave, the attack has now hit more than 200,000 routers, with the number still growing as of this writing. Further, tens of thousands of those routers are outside Brazil, indicating that any initial geographic targeting is no longer in effect.
Everyone with a MikroTik router should be worried that they will be targeted no matter where they reside, says Karl Sigler, threat intelligence manager at Trustwave. Fortunately, those same global users have a meaningful response possible for the attack.
Hopefully with enough coverage, users of MikroTik routers will patch their devices, Sigler adds. A single patch [available since April] is enough to stop this exploitation in its tracks.
This is not the first time MikroTik owners have been urged to patch and reboot their routers. MikroTik equipment was specifically mentioned in the FBIs May 2018
call for router reboots
, and even the March attack was effective only against routers that were not up to date with software patches.
Related Content:
DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
VPNFilter Poses Broader Threat Than First Thought; Endpoints At Risk Too
FBI Warns Users to Reboot All SOHO Routers
5 Tips for Protecting SOHO Routers Against the VPNFilter Malware
 
 
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cryptojacker Campaign Hits MikroTik Routers