A vulnerability in MikroTik WiFi routers has affected nearly 2.5 lakh routers across the globe, leaving them vulnerable to crypto-mining and other forms of cyber-attacks. Of the total affected routers, 11,809 routers in India have been affected. Brazil is most affected with 85,230 routers being affected.
Of the top internet providers with infected routers across the globe, Reliance Jio Infocomm is the only Indian internet provider in the list, suggesting that it is the most affected Indian internet provider.
According to cybersecurity firm Avast, hackers have exploited a vulnerability ‘CVE-2018-14847’. This is a vulnerability on Winbox, which is the operating system for MicroTik routers. All its versions will 6.42 allows remote attackers to bypass authentication and read arbitrary files. This then allows them to execute attacks ranging from cryptomining to eavesdropping.
Avast suspects that the routers were targeted by cryptomining campaign ‘JS:InfectedMikroTik’.
“Interestingly, the originally intended web page reloads itself into an IFRAME element after 10 milliseconds, so the user sees the original content inside an iframe, while the miner runs in the background. This way, the user will happily browse the original content without even knowing that something fishy is going on in the background,” Avast says in its report of the vulnerability.
As per Avast, hackers look for anything that can provide them with computing power and routers are one of the most obvious targets since every connected household and business has one. And the security issues to these routers are most often due to weak passwords.
In the case of this attack, while it is suggested that a vulnerability in WinBox gave hackers access to the routers, Avast says that the routers could also have been exploited because their owners didn’t change their default credentials or created weak passwords.
“One might think the campaign uses just the routers’ computing power to mine coins, however, this it not the case. It uses the computing power of all devices connected to the infected router that can run a browser, including computers, phones, and smart TVs. The bigger issue, however, is that once the router is compromised, you can’t be sure how else it might be abused… It could be used for sniffing the traffic, serving you malicious pages etc.,” Avast says.
If the routers are updated with the latest firmware, the vulnerability is fixed. But out of the 314,000 MikroTik routers in the Avast user base, 85.48% are vulnerable to the Winbox exploit.
While Avast is still chasing the offenders, it says that it’s difficult given the number of infected routers is massive.
What to do if you’re affected?
Check if you have a MikroTik router.
Those who don't have a MikroTik route can also be affected by this issue. If your anti-virus software gives you a detection JS:InfectedMikroTik, it is likely that your ISP (internet service provider) is affected. In that case, contact them immediately to resolve the issue on their routers.
Install the latest firmware and set a new password. Ensure the password is strong. New versions of MikroTik routers close external access to the router by default, thus making you safe from an attack.
Avast has listed down a detailed explanation of what to do if you are affected.