{"id":86634,"date":"2018-08-09T14:16:11","date_gmt":"2018-08-09T08:46:11","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86634"},"modified":"2018-08-09T14:16:11","modified_gmt":"2018-08-09T08:46:11","slug":"cryptocurrency-miner-hits-iot-devices-mostly-affects-brazil-russia","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cryptocurrency-miner-hits-iot-devices-mostly-affects-brazil-russia\/","title":{"rendered":"Cryptocurrency miner hits IoT devices, mostly affects Brazil and Russia!"},"content":{"rendered":"

According to a blogpost<\/a> published on Aug 1, 2018, 200,000 routers in Brazil were compromised to deliver Cryptocurrency mining scripts to mine Monero (XMR) cryptocurrency. Hackers compromised the vulnerable MikroTik routers by injecting CoinHive scripts into the routers web pages in order to carry out the mass Cryptocurrency miner attack. The IDS\/IPS research team at Quick Heal Security Labs was observing the attack and soon started digging into the telemetry to find out the traces of the attack. The data mining effort landed us on traces of the attack observed at our customers which were completely blocked by Quick Heal\u2019s IDS\/IPS solution.<\/p>\n

The telemetry data recorded the hits for IDS\/IPS signatures from the period July 30, 2018, to Aug 4, 2018. We did not see hits after Aug 4, 2018. We believe the infected routers were cleaned up and patched against the vulnerability which led to the attack.<\/p>\n

\"Fig
Fig 1. IDS\/IPS signature hits<\/figcaption><\/figure>\n

The compromised URLs accessed were having a typical structure like this:<\/p>\n

https:\/\/<Router IP Address>\/<Random String>.php<\/em><\/p>\n

The sample URL set received in telemetry looks like below.<\/p>\n

\"Fig
Fig 2. Compromised URL telemetry<\/figcaption><\/figure>\n

At the time of the analysis, the compromised pages did not deliver the Cryptocurrency miner code as most of them were down. A typical injected CoinHive JavaScript looks like the below:<\/p>\n

\"Fig
Fig 3. CoinHive Injection<\/figcaption><\/figure>\n

To know more about how CoinHive cryptocurrency works read this blogpost<\/a>.<\/p>\n

The fingerprint of one the router is shown below which clearly indicates the device being of MikroTik.<\/p>\n

\"Fig
Fig 4. Fingerprint of compromised IP \u2013 MikroTik device<\/figcaption><\/figure>\n

The most affected country was Brazil followed by Russia. We also saw countries like Vietnam, the Republic of Moldova and the United States being affected.<\/p>\n

\"Fig
Fig 5. Affected Countries<\/figcaption><\/figure>\n

This shows the intensity of the mass router compromise which in turn would have affected many users. This also shows the importance of patching the well-known vulnerabilities. There is a challenge to update the routers or IoT devices but we strongly recommend to get familiar with the upgrade process for various IoT devices and regularly update them with the latest patches. Even though the MikroTik had issued a patch against this vulnerability in April 2018, the affected devices were not patched which led to this massive router compromise. To defend against such attacks, it\u2019s really important to patch all sorts of devices.<\/p>\n

Quick Heal IDS\/IPS Detection<\/strong><\/p>\n