|Aug 05, 2018 02:22 PM||By: Art Vasquez | 11029 Views|
The infamous Coinhive miner has been abused once again, this time by a cryptojacker who targeted ISP-grade routers. Will this ever end?
A recent tweet from an independent malware investigator reports a "mass exploitation" of MicroTik routers for cryptocurrency mining. The attacker hijacked the routers, then injected the code for the Coinhive miner into web pages followed by the routers in question.
Each [MicroTik] device serves at least tens if not hundreds of users daily [...] the attacker wisely thought that instead of infecting small sites with few visitors or finding sophisticated ways to run malware on end-user computers, they would go straight to the source; carrier-grade router devices. / Simon Kenin
The attack that began in Brazil but has since spread worldwide has affected an estimated 175,000 devices, including people who do not use MicroTik routers, as ISPs have been using the compromised routers.
Previously, the Coinhive team has not taken any action beyond terminating the address used in an attack, meaning that the attacker can easily use another. In fact, a second Coinhive address has already been introduced to attack MicroTik routers, bringing the number of compromised devices up to 200,000.
It’s not clear if this is the same attacker or a copycat, but it seems unlikely that this type of attack will end any time soon. Coinhive mines Monero, which has built-in anonymity and privacy, making it more difficult to trace than Bitcoin and the source of the attacks are rarely found.