Criminals continue to target consumer devices to cause all kinds of havoc. Any internet-connected machine is prone to being targeted by malware or other malicious software. Various loosely protected routers are being used for cryptojacking purposes. It further confirms users need to pay more attention to security.

170k+ Infected Mikrotik Routers, Many More Vulnerable

In the United States alone, more than 46 million routers are installed in homes and businesses. These devices provide wireless internet connectivity to all devices at the location. Similar to other technology-driven devices, they need to be protected and updated regularly lest they become vulnerable to intrusion. Customers of Latvia-based router manufacturer Mikrotik are learning this the hard way, as TrustWave reports that an estimated 170,000+  of the company’s routers have been infected with the Coinhive cryptominer malware.

Those are the findings of security researcher Simon Kenin, whose report confirms a new wave of cryptojacking is taking place, primarily in Brazil. However, with more than 1.7 million Mikrotik routers deployed around the world, the potential for an even greater spread of Coinhive infection exists.

In his report, Kenin writes:

The exploit targets Winbox and allows the attacker to read files from the device … but the bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router.

He continues:

Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.

Cryptojacking Alert! 170k Mikrotik Routers Infected with Coinhive Cryptominer Malware

How It Happened and What Users Can Do About It

The vulnerability in the router software that enabled the exploit was actually discovered in late April 2018 and, to Mikrotik’s credit, they patched the vulnerability within a day of its discovery.

So why isn’t this old news, you ask? Because the vulnerability is still present on tens of thousands – even hundreds of thousands – of out of date Mikrotik routers.

In an email to TechTarget, Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, explains why so many routers have yet to be patched:

Most routers, unfortunately, lack the ability to auto-update, and very few users, especially home users, know how or when to patch the firmware on their router. […] One of the biggest failures of security vendors that provide small-office [or] home-office routers is not including an auto-update feature by default, regardless of the technical difficulties lying around potentially taking the router offline during the update process.

Customers who have Mikrotik routers purchased before April 2018 are encouraged to update them as soon as possible. Mikrotik provides extensive documentation on the upgrade process that is easy to understand and follow. Instructions for both automatic and manual updates are provided, however, it should be noted that only Mikrotik routers newer than v5.25 will be able to use the auto-update functionality.

Have you ever been a victim of Coinhive’s cryptominer? Was it due to a vulnerable router or some other means of infection? Let us know in the comments below.

Images courtesy of

Tags: , ,

Leave a Reply

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.