Home News Breaking! Nearly 30,000 MikroTik Routers in India Allegedly Injected with Coinhive

Breaking! Nearly 30,000 MikroTik Routers in India Allegedly Injected with Coinhive

October 05, 2018 15:42
Share with your friends

In what will come as shock to Indians, a research found that nearly 30,000 MikroTik routers in India have allegedly been infected with Coinhive, a malware program used to mine privacy-oriented coin, Monero.

The study conducted was global and researched the prevalence of this problem in countries such as Brazil, India, Indonesia, United States of America, Iran, among others. From what we understand, this is one single cryptojacking campaign. However, no company seems to have raised any red flag over this.

Last month, we had reported on a research when it said Indian government websites are the ideal nesting grounds for bad actors planting Coinhive to mine Monero. At the time, a researcher from the team had said, “Hackers target government websites for mining cryptocurrency because those websites get high traffic and mostly people trust them. Earlier, we saw a lot of government websites getting defaced (hacked). Now, injecting cryptojackers is more fashionable as the hacker can make money.”

The research in part, was posted by a Reddit user ban breach who said, “We have been tracking the development of this infection in India for the last month. The number of infections has doubled, and continues unabated. Tier 3 cities are the most infected with 45% of the infected routers. Mumbai, and Delhi/New Delhi leads the pack with 4384, and 2124 infected routers.”

The post on Reddit added that major telecom networks such as BSNL, Reliance Communications and Hathway are allegedly the worst hit. Other networks such as Vodafone and Airtel have nearly 200 infected routers.

Source: Censys

Additionally, the original report stated that the routers were being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however the latest statistics (above) reveal device owners and network operators have chosen not to apply it.

The report added, “While Coinhive is used in the vast majority of cryptojacking campaigns, it is not used by the largest campaign. Instead, CoinImp is used in a campaign consisting of 115,000 MikroTik routers, per the latest Censys results. A large share of compromised devices are found on the network of two service providers in Iran, AS59566 and AS56616. In this campaign, CoinImp is injected via https://srcip[.]com/src.js which embeds an iframe pointing to https://srcip[.]com/js.html which contains the cryptocurrency mining JavaScript code.”

We reached out to Troy Mursch, the author of the research for answers. We’ll update the article if and when he reverts.

Liked what you read? Join us on Telegram

A blockchain enthusiast, a wannabe-crypto investor and an all-around enthusiast! Loves travelling, especially to ASI-protected areas, believes in giving her best shot at everything she does! Definitely an introvert.


Please enter your comment!
Please enter your name here