Since exploit code for CVE-2018-14847 became publicly available, miscreants have launched attacks against MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.
The maker of the routers released a patch of the security bug in April, but users are slow to install the update, enabling cybercriminals to fight for a piece of the pie.
Security researcher Troy Mursch, who tracks botnets and researches cryptojacking campaigns, found that the infected MikroTik routers from the latest campaign open a websockets tunnel to a web browser mining script.
According to the researcher, the malware increases the CPU activity of an infected MikroTik router to about 80% and maintain it at this level. This gives room for other tasks to run and mine for cryptocurrency at the same time, in the hope of keeping the activity hidden from the user.
The number of affected devices is uncertain, as they are getting "owned and re-owned by the minute, just like any other botnet of vulnerable devices" Mursch told BleepingComputer.
A search on Shodan showed that 3,734 MikroTik devices using the mining tool reported by the security researcher. At the time of publishing, the number grew to 3,805, suggesting continued cybercriminal interest.
Most of the affected routers are concentrated in South America, mainly in Brazil (2,612) and Argentina (480). Other countries are also on the list, although the numbers are not as significant.
In August, Trustwave's SpiderLabs division noticed another cryptojacking campaign that affected 72,000 MikroTik devices, also in Brazil.
In another report last week, Qihoo informed that most of the MikroTik routers vulnerable to CVE-2018-14847 were in Brazil and Russia, and were targets of cryptomining malware.
In both reports, the security researchers observed that the attackers leveraged the same security bug.
Cybercriminals will continue to exploit vulnerabilities, no matter how old they are. One example comes from the world of exploit kits, where some of the most popular ones still rely on old security gaps from 2014 and 2015. Patching is the easiest way to curb these