The perpetrator can infect the device with malicious code and secretly run CoinHive in the background. For those unfamiliar, CoinHive is a favorite Monero mining script that has been widely used to exploit cryptographic currency to exploit cryptographic currency, which often uses for philanthropy, but unfortunately this time it is not.
This type of attack is known as a zero-day attack, exploiting previously unknown code vulnerabilities. This zero-day allows CoinHive to run on every page accessed by the exposed machine. There may be millions of websites loading these cryptocurrency computing loads every day.
According to Trustwave, “Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.”
https://twitter.com/MalwareHunterBR/status/1023893755974352896
The attack began earlier this week and is believed to be in its early stages. BleepingComputer reported that it launched a second attack, bringing the total number of affected machines to more than 200,000.
Therefore, for the network administrator, it is necessary to pay particular attention to the MikroTik router used in the network, and timely check whether the router has installed the system patch in time. This is not the first time that the MikroTik router has become the target of malware. In March of this year, there was also a cybersecurity incident in which hackers spread and installed spyware on users’ computers through the loopholes of the router.
