MikroTik Routers Compromised with Crypto Mining Malware Coinhive

[cageymaru]

A known vulnerability in MikroTik routers that was patched within a day of being discovered has been used by hackers to force whole networks of computers to mine cryptocurrency. The exploit causes the router to inject Coinhive's Javascript into every web page that the router visits causing all networked PCs to mine Monero for the attacker. The exploit started in Brazil and has spread globally. You can track the infection with Bad Packets Report on Twitter. As of now over 209,000 devices are infected.

Of course the cure to all of this madness is to simply keep your router's firmware and software up to date. Instructions on how to patch RouterOS on your MikroTik router and the latest version of WinBox can be found here.

It's a good reminder for users and IT managers who are still running vulnerable MikroTik routers in their environment to patch their devices as soon as possible. A single patch, which is available since April is "enough to stop this exploitation in its tracks."

 

[Deleted member 93354]

Wow that's surprising. Mikrotik makes some of the most powerful routers based on open source. Every pro net website I go to says they are near the top in terms of speed, security and features.


It's awesome they got a fix out in a day however. I have never seen any vendor respond that fast. (Even Cisco)

 

[BSmith]

For smaller clients I have been using MicroTik for years. They do turn things quickly when an error is found.

I check their site every month for updates and the reason for those updates. I have no qualms about continuing to use or recommending them.

 

[PantherBlitz]

Good for them. I'm at Verizon's mercy as far as router patches go. I'm sure their response to something like this would be to sell me a different router.

 

[Wolf_Tech]

Lol saw one of these in a business the other day replace with microtik from a cisco managed router. The cisco was working fine but there tech guy sold them this microtik for 700.00 cost on amazon was 49 bucks. I really love how other tech pray on stupid people and rip them off.

 

[katanaD]

good to see a company respond quickly to an issue.

 

[Dead Parrot]

Found this chasing info on the actual WinBox bug:

Mitigation Techniques

• Update your RouterOS to the last version or Bugfix version
• Do not use Winbox and disable it :| it's nothing just a GUI for NooBs ..
• you may use some Filter Rules (ACL) to deny anonymous accesses to the Router

If folks have left their routers open to anonymous access, not the router company's fault.

 

[Zarathustra[H]]

It still amazes me how few people actually keep their shit up to date. And when it comes to MikroTik, these are more likely than not enterprise users. They really should know better.

 

[Zarathustra[H]]

Found this chasing info on the actual WinBox bug:

Mitigation Techniques

• Update your RouterOS to the last version or Bugfix version
• Do not use Winbox and disable it :| it's nothing just a GUI for NooBs ..
• you may use some Filter Rules (ACL) to deny anonymous accesses to the Router

If folks have left their routers open to anonymous access, not the router company's fault.

True,

But I would argue that as a risk mitigation, no router should ship from the factory with default settings allowing anonymous access...

 

[BSmith]

Unfortunately, there are a lot of people using MicroTik and have no idea how to properly configure them. Properly configured, they are as good, if not better, than any other router in that class.

 

[Deleted member 93354]

True,

But I would argue that as a risk mitigation, no router should ship from the factory with default settings allowing anonymous access...

Most reputable companies dont. I know my netgear doesn't. Linksys (Belkin) does this also. That is why there is a password sticker pasted on the bottom and different from every router shipped.

 

[thebufenator]

True,

But I would argue that as a risk mitigation, no router should ship from the factory with default settings allowing anonymous access...

It doesn't. Those mitigation steps are false and misleading.

 

[Spidey329]

Good for them. I'm at Verizon's mercy as far as router patches go. I'm sure their response to something like this would be to sell me a different router.

Guaranteed with anything Verizon. My Dad has Verizon Wireless and couldn't get any cell coverage at his house - their engineers analyzed it and found he was perfectly in a deadzone between towers. So they told him he'd need a cell-to-IP device (Network Extender). Kicker? $300, he has to provide the internet (and the liability), and you can't block users from connecting. So you're essentially paying to extend Verizon's network for them and they instruct you to put it into a window. Not because it needs a cell tower, but because they want you to maximize the coverage to other people.

They're very anti-customer.

 

[admiralperpetual]

according to TP cast my router has NEVER had a firmware upgrade.....

the bottom of my unit says its the 'canadian' version, and support says I can't use the US firmware updates.. dare I try anyway? (it's the Archer C2 AC750, is now EOL so they aren't pushing updates to speak of anyway blah)

 

[cageymaru]

admiralperpetual Maybe one of the Linux guys can point you towards an open source solution that will cure your lack of updates for that router.

 

[B00nie]

Cryptocurrency needs to die away. Dumbest thing ever.

 

[admiralperpetual]

admiralperpetual Maybe one of the Linux guys can point you towards an open source solution that will cure your lack of updates for that router.

there's technically a version of OpenWRT for it but it doesn't even have a GUI :S boo-urns

 

[cageymaru]

there's technically a version of OpenWRT for it but it doesn't even have a GUI :S boo-urns

Can't be that hard to setup though. I'd make a thread about it in the appropriate forum here and ask for someone to walk you through a setup. I'm sure someone will oblige you.

 

[chockomonkey]

That's a pretty cool way to profit from an exploit