MicroTik Router

Podcast Episode 116: Cryptojacking and MikroTik’s Bad-Feeling Feel Good Patch Story

In this week’s episode (#116): we speak to noted researcher Troy Mursch (@bad_packets) of the Bad Packets Report about the recent surge in crypto-jacking malware attacks. Troy and I talk about the role played by a months old security hole in RouterOS, software that runs on routers by the firm MikroTik has helped fuel the surge in crypto-jacking attacks.

MikroTik’s bad-feeling feel good patch story

When researchers at the firm Tenable first presented evidence of a number of serious router security flaws to the Latvian firm MikroTik in April, 2018, the firm’s response was uncharacteristically awesome. In contrast to the response of many hardware makers, MikroTik acted promptly on the news and issued patches within months – in August 2018. It also issued stern advice to customers to apply the fixes immediately.

But in the months since the patches were released, MikroTik’s has become the feel-good patching story that feels pretty bad. We now know that the vast majority of MikroTik’s thousands of customers – most carriers and telecommunications firms – simply failed to apply the patches. Cyber criminals were not forgiving. Even before a patch was available, hundreds of thousands of the company’s devices began being targeted by attacks targeting the vulnerabilities. For those that were compromised, the attackers modified a proxy service on the routers to inject crypto mining code onto the computers of anyone who used the infected router to connect to the Web.

Check out: North Korea’s Lazarus Tied to Cryptojacking Campaign Targeting MacOS

MicroTik Router
Routers by MikroTik were targeted by cyber criminals and used to spread crypto-jacking malware.

MikroTik routers were also targeted by the Russian advanced persistent threat actor known as “FancyBear,” which targeted MikroTik devices using default credentials, the standard usernames and passwords enabled on the device out of the box, and as-yet-unknown vulnerabilities to load VPNFilter, a malicious software program, on the devices.

Last week, more than two months after the MikroTik patch was released, Tenable published the results of its research as well new tools for analyzing the RouterOS software.

Long Tail Wagging the Dog

How did vulnerable, carrier grade routers end up enlisted in a crypto-jacking campaign? And what do the attacks on the MikroTik routers mean for overall Internet security? To find out, we invited security researcher Troy Mursch of the consulting firm Bad Packets into the studio. Troy is an expert on crypto-jacking malware and has studied the growth of crypto-jacking campaigns that are using vulnerable MikroTik routers.

Troy Mursch Bad Packets
Mursch (@bad_packets) is a security researcher at Bad Packets Report.

You might also be interested in: Kaspersky Deems Crypto-jacking the New Ransomware as Crypto-miners up Their Game

Mursch told us that the MikroTik is part of a bigger problem: the failure of infrastructure owners to take appropriate action to address serious security holes in products. That’s especially true of MikroTik, whose user base is large and diverse, with thousands of customers owning low concentration of MikroTik gear. Also, because the crypto-jacking malware affects end users who are behind the router and not the router itself, asset owners are more likely to ignore the problem, Mursch said.

Crypto-jacking is more of a nuisance than, say, ransomware, but that victims of crypto-jacking attacks shouldn’t dismiss the seriousness of crypojacking malware.

“If you see or have crypto-jacking malware it is an indicator of compromise and that further action needs to be done because there could be worse malware out there,” he told me.

Among other things: routers that host coinhive malware this week could easily be compromised and used to serve other threats next week, Mursch said.

Check out our full conversation above!