Here's a devious way to mine cryptocurrency: Get 200,000 internet routers to do it for you.
According to security researchers, a mysterious hacker has been exploiting vulnerable MikroTik networking devices, mainly in Brazil and Moldova. The goal: to install cryptocurrency miners on any computers connected to them.
The hacker has been targeting a security flaw that can let you gain remote administrative access to the devices, according to Simon Kenin, a researcher at security firm Trustwave. Mikrotik, a maker of both Wi-Fi and Ethernet routers, issued a software fix back in April. But hundreds of thousands of devices remain unpatched and searchable online,
To mine the cryptocurrency, the hacker tampered with the routers to serve up code that'll run across a computer's internet browser. Once the code loads, it secretly hogs a PC's processing power to generate a virtual currency called Monero, which is sent to the hacker's account.
Other hackers have employed similar tactics, usually by planting cryptocurrency miners on individual websites. The more computers running the miner, the more virtual currency it can generate.
But what makes this scheme particularly devious is how many computers it can potentially reach. "There are hundreds of thousands of these (MikroTik) devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily," Kenin said.
Kenin first noticed the issue because of how the mining takes place; it uses some code provided by Coinhive, an infamous service that provides a free cryptocurrency miner to anyone. Hackers have been using Coinhive to secretly plant miners in websites, YouTube ads, and third-party software as a way to generate digital gold.
Kenin noticed that the MikroTik routers have been running the Coinhive miner a bit more selectively. In some instances, it'll run across any webpage the browser visits; in others, it'll only load when the browser encounters an error page. But ultimately, victim computers, be it a PC or smartphone, will have no choice but to run the miner on the browsers, as long as they remain connected to the affected wireless network.
According to Kenin, 170,000 MikroTik devices mainly in Brazil were found running the miner. A separate security researcher named Troy Mursch later found that another 25,000, largely in Moldova, were also distributing a Coinhive cryptocurrency miner. Whether it's the same hacker or a copycat isn't clear.
Coinhive, which has the ability to shut down hacker accounts behind the mining, so far hasn't commented on the reported hacking. But in the meantime, security researchers are warning that more routers may get ensnared.
"This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale," Kenin wrote. Owners of the MikroTik devices can learn how to patch them here.