Cryptojacking Doubles Number of Infected Routers – Report

Security researcher VriesHD claims that there are over 400,000 targeted devices worldwide since the beginning of December.

A new cryptojacking software that targets routers has doubled its presence since the discovery of the virus in August this year, security researcher VriesHD told US media TNW on Wednesday. The unauthorized software hacks mainly MikroTik devices.

According to a conducted analysis by VriesHD, 415,000 routers had been hacked with the aim to “create” virtual coins through December 2. However, the real number is around 350,000-400,000 as the data reflects the number of IP address, the researcher explained. CoinHive, a software that mines Monero (XMR) cryptocurrency still dominates the cryptojacking router attacks, but new viruses have also begun to emerge.

“CoinHive, Omine, and CoinImp are the biggest services used,” VriesHD told TNW.

“It used to be like 80-90 percent CoinHive, but a big actor has shifted to using Omine in recent months.”

Initially, the new MikroTik-orientated cryptojacking virus was mainly concentrated in Brazil, but a VriesHD map shows that it has expanded its geography of use and is now a common threat to router owners in Europe, Middle East, Asia-Pacific, and Latin America. 

According to the researcher, MikroTik users should contact their internet services providers (ISPs) because most of the telecommunication companies give own routers to their clients.

“Users should indeed update their routers, yet the biggest bunch of them are distributed by ISPs to their customers, who often have no idea what to do or how to update the router. Often these distributed routers are limited in their rights as well, not allowing users to update the routers themselves,” VriesHD said.

“The patch for this specific problem has been out for months and I’ve seen ISPs with thousands of infections disappear from the list,” he added. Unfortunately, it appears tons of ISPs simply won’t take action to mitigate the attacks.

The MikroTik cryptojacking virus was discovered by Simon Kenin, a cybersecurity researcher at Chicago-based Trustwave, in August. Kenin estimated that the number of infected devices was around 170,000 to 200,000. The malicious miner uses mainly CoinHive script and vulnerability in MikroTik routers. Unlike other cryptojacking practices, this one targets routers instead of individual personal computers.

According to Malwarebytes Labs data, in the third quarter of this year, cryptojacking was in a declining trend, except for MikroTik infections, while crypto ransomware was gaining ground.

Reading now