Let me start this in a very advertising fashion. Read the next few lines in the voice of a tele-marketeer. Are you experiencing slow browsing speed? Is your computer slowing down or freezing unusually? Is your computer heating up without much activity? You my friend, may be a victim of cryptojacking.
The widespread phenomenon of taking control of a computer to mine cryptocurrencies without the consent of the owner is called cryptojacking. Reports are flying in from around the world about several hundreds of millions of devices cryptojacked every month. This time, the news is from India.
Banbreach, a cybersecurity research and solutions firm found over 30000 Mikrotik routers in India have been compromised and are running Crytpojacking scripts provided by Coinhive. Coinhive provides Mining software that can mine Monero utilising the CPU of the computer it is installed in. Hackers then create different variants of the script to suit their needs, such as injecting one into an internet router.
#Cryptojacking in #India: Nearly 30,000 #MikroTik routers in India are infected with #Coinhive. Here's what it looks like today via two different search engines. (h/t @bad_packets for finding this originally) pic.twitter.com/ue9klBY0kS— Banbreach (@Banbreach) October 5, 2018
Who is Affected?
According to Banbreach, all major ISPs are affected, BSNL, Hathway Broadband, ACT fibernet are some of them. In the simplest of terms, if your ISP has installed a router for your broadband, and if that router is infected, all of the computers connected to the router can be used for mining Cryptocurrency.
So while BanBreach reports over 30000 routers are infected, the actual number of computers used to mine monero could be a very big.
You may not even know if your computer is infected, says Suman Kar, CEO of Banbreach. In an email response, Kar said,
“If such compromised routers are ISP controlled, clients will probably never get to know about it. Browsing performance can degrade, to the extent that you are thrown out.”Suman Kar, CEO, Banbreach
The quick Fix
This is not the first Mikrotik report. Back in August, it was reported over 200,000 Mikrotik routers in South American countries. The vulnerability exploited then, and now, is the same.
Hackers are taking advantage of a Winbox Critical Vulnerability (CVE-2018-14847). Hackers are able compromise un-patched routers. Mikrotik has patched the vulnerability and updating the Router’s Firmware aka RouterOS will solve the problem.
Anyone using version 6.42 or older version of RouterOS should apply the update ASAP. It can be downloaded here. But if you don’t have control of the router or the router is not within your reach, you have to call your ISP to update it.
“There isn’t much you can do if a compromised router is sitting in your local internet providers office, other than calling them up, and asking them to do the update.”Suman Kar, CEO, Banbreach
But, chances are they won’t even know what you’re talking about as it happened with this twitter user.
Yes it was a MikroTik router. Apparently my ISP doesn't understand such security issues, so I've told them to reset all their routers and update the RouterOS.— Vipin Bathaw (@vipin_bathaw) October 6, 2018
How do I know if I am Cryptojacked?
We asked Kar the same thing. It turns out there are no easy answers.
“With routers, this is more difficult. You will need to login to the administration page, and lookup active connections. If you suspect there is a connection going a suspicious site, you will need to check if it is a mining pool.
Heating up, freezing (Computers), are some common indicators that there’s something wrong.”Suman Kar, CEO, Banbreach
If your computer is acting weird, it might be time to check your router first. If it’s a Mikrotik router, the best solution is to call your ISP and ask them to reset and update the RouterOS.
But you can easily block a cryptojacking attempt from websites – yes that happens. Some websites run scripts from Coinhive and use the CPU power of your computer to mine Monero while you browse the site. Installing chrome extensions such as No Coin or MinerBlock can block cryptojacking attempts from websites.
Cryptojacking is becoming more common than one can expect. Banbreach has been monitoring the cryptojacking attempts and have determined that the number of infected routers doubled within a month and in three top cities it went up by 500%.
The number of compromised routers have doubled in the past month. For the top three cities with the most infected routers, the growth has been ~5x. pic.twitter.com/TuCxt0evnb— Banbreach (@Banbreach) October 5, 2018
Tier 3 cities are been targeted more than tier 1 or 2 as over 40% infected routers are in those cities. A possible explanation for targeting Tier 3 cities could be people’s lack of awareness on cyber security at these places. A layperson may assume there is something wrong with the computer instead of thinking the router is compromised when his computer heats up too soon too often.
It is wise to be vigilant and alert for cyber attacks such as these. If you are using a Mikrotik routers, update the routerOS asap.