Router Cryptojacking Campaigns Disrupted20,000 Hacked MikroTik Routers in Southeast Asia Were Malware-Infected
Nearly 16,000 malware-infected MicroTik routers have been scrubbed of Coinhive cryptojacking code thanks to an international police operation.
The international law enforcement agency Interpol says it launched Operation Goldfish Alpha in June 2019 to target 20,000 hacked routers in Southeast Asia that were being used to mine for cryptocurrency, as well as to raise awareness in the region of the threat posed by cryptojacking.
By the end of November 2019, Interpol reports, that the number of infected devices had been reduced by 78 percent.
Cryptojacking refers to the unauthorized, hidden use of computing power to mine for cryptocurrency. Some schemes have focused on using identity theft to purchase on-demand cloud computing power to run cryptominers (see: Singapore Man Charged in Large-Scale Cryptomining Scheme). But security experts say the majority of such attacks focus on infecting PCs and servers - as well as mobile and internet of things devices - with cryptomining malware (see: Criminals' Cryptocurrency Addiction Continues).
What cryptojacking might seem like a victimless crime, experts say otherwise.
"Affected users will notice their device slowing down due to the high CPU usage in addition to higher electricity bills," Troy Mursch of Chicago-based threat intelligence firm Bad Packets has told Information Security Media Group. "This process also generates a lot of heat, and we've seen physical damage in some cases with mobile devices." (See: Cryptojacking: Mitigating the Impact.)
Operation Goldfish Alpha
Interpol says Operation Goldfish Alpha was run by its Association of Southeast Asian Nations Cyber Capability Desk. ASEAN comprises 10 countries in Southeast Asia: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Collectively they have a population of 650 million people (see: Vietnamese APT Group Targets BMW, Hyundai: Report).
"During the five months of the operation, cybercrime investigators and experts from police and national computer emergency response teams across the 10 ASEAN countries worked together to locate the infected routers, alert the victims and patch the devices so they were no longer under the control of the cybercriminals," Interpol says. "Interpol’s ASEAN Desk facilitated the exchange of information and follow-up actions amongst the countries involved."
Interpol says private-sector support from two Japan-based firms was key to the success of the operation. "Private sector partners, including Cyber Defense Institute and Trend Micro, supported the operation through information sharing and analysis of cryptojacking cases, and providing the participating countries with guidelines for patching infected routers and advice on preventing future infections," it says. "The National Cyber Security Center of Myanmar also issued a set of good cyber hygiene guidelines for protecting against cryptojacking."
Trend Micro says that it briefed ASEAN law enforcement officers in June 2019 about information gleaned from its research into attack and infection trends.
"A few months later, we developed and disseminated a key 'Cryptojacking Mitigation and Prevention' guidance document," Trend Micro says in a blog post. "It details how a vulnerability in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware."
“When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated,” says Craig Jones, Interpol’s director of cybercrime. “By combining the expertise and data on cyber threats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime."
Repeat Target: Unpatched MikroTik Routers
MikroTik routers have been a repeat target for cryptomining rings, in part because many users have yet to patch them to fix exploitable flaws.
In April 2018, for example, MikroTik had quickly patched a zero-day flaw, designated CVE-2018-14847, that attackers can use to gain full access to a vulnerable router. Exploiting the flaw can give them access to Winbox, a simple GUI administration utility for MicroTik's RouterOS, as well as to Webfig, which is the web-based version of the utility.
But patching lagged. By September 2018, Bad Packets reported that it was seeing at least "80 unique cryptojacking campaigns targeting vulnerable MikroTik routers," and that more than 209,000 carrier-grade MicroTik routers had been infected with one of two different types of software - Coinhive and Crypto-Loot - that mine for cryptocurrency (see: Cryptojackers Keep Hacking Unpatched MikroTik Routers).
Would-be attackers have also been able to use free tools - such as MikroRoot, available on GitHub - to scan the internet for vulnerable routers and automatically take control of them.
On Thursday, IoT device search engine Censys counted more than 26,000 Coinhive-infected MikroTik routers around the world, including 745 in the United States.