Hackers Exploit Nearly 200,000 “Carrier-Grade” Routers to Mine Monero (XMR)

  • A security flaw in thousands of MikroTik routers located in Brazil and Moldova is being used to mine Monero (XMR) on computers of unsuspecting users.
  • This is a very serious problem because “carrier-grade routers” are being exploited to run mining scripts, a security researcher said.

Over 170,000 routers manufactured by MikroTik, a Latvian company that develops wireless ISP systems, are reportedly being exploited by hackers to mine cryptocurrencies.

Simon Kenin, a security researcher at TrustWave, revealed an unidentified entity appears to be taking advantage of a design flaw in MikroTik’s routers to run malicious cryptocurrency mining scripts on the computers of unsuspecting users.

Maliciously Mining Monero

A bad actor or a group of them seems to be exploiting a vulnerability in the tech company’s routers that it claimed to have fixed. A JavaScript mining software from Coinhive, a service that lets people integrate Monero (XMR) mining code on users’ devices, is being installed into browsers are connected to the vulnerable routers.

According to reports, most targeted computers belong to users in Brazil. Kenin pointed out, however, that similar attacks were taking place in other locations. Troy Mursch, another security professional, said that these types of attacks have become common in Moldova where over 25,000 MikroTik routers had been used to run Coinhive’s crypto mining scripts.

“Hundreds Of Thousands” Of Affected Routers

Currently, it isn’t clear whether there’s a connection between the attacks in Brazil and those observed in Moldova. MikroTik has attempted to fix the vulnerability, but a large number of devices remain affected.

Kenin noted these attacks are a serious issue because MikroTik’s high-end routers, as well as other hardware, is used by various businesses, large organizations, and ISPs. The security expert stressed the problem’s severity, saying:

Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.

Simon Kenin

He further explained that there are “hundreds of thousands” of affected routers throughout the world and that “each device serves at least tens if not hundreds of users daily." In February, CryptoGlobe reported that government websites had been infected with cryptocurrency mining malware, which included UK’s official National alth Service (NHS) website.

A month later, in March, the Egyptian government was found to be secretly mining cryptocurrencies by using its citizens’ computers. At the time users were being redirected to malicious websites that were mining Monero through Coinhive’s scripts.