![mikrotik routeros-based botnet mikrotik routeros-based botnet](https://i.imgur.com/lr5HBt9.png)
![mikrotik routeros-based botnet mikrotik routeros-based botnet](https://techtrickszone.com/wp-content/uploads/2019/10/Upgrading-MikroTik-RouterOS-and-Firmware-using-Winbox.jpg)
Google didn't produce many results, but the few that did come up were actually quite useful in helping me pinpoint the attack vector and what the attacker did.įor example, this result show injection of CoinHive on a hospital website in Brazil. My first thought was that on such a large scale that could be a zero day exploit, possibly in the MikroTik HttpProxy component, so my next step was to check whether anyone else also noticed this, since during the conference I had limited time and internet access to keep up with daily news. I looked for the CoinHive site-key used on those devices, and saw that the attacker indeed mainly focused on Brazil.įigure 2: Shodan query for the CoinHIve sitekey used by the attacker This could be a bizarre coincidence, but on further inspection I saw that all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity. On July 31 st, just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.Īfter a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.įigure 1: Shodan query of MikroTik devices in Brazil with CoinHive that returns over 70,000 results