Finder makes money from featured partners, but editorial opinions are our own.

ISPs were patient zero in a mass cryptojacking wave hitting Brazil

shutterstock data servers crypto 450x250

That's why you keep your software up to date.

Cryptojacking is when an attacker infects a victim's computer with a cryptocurrency miner, and then leeches their computing power for profit. Cryptojackers quickly became the most popular type of malware by a very large margin, often striking victims through creative attack vectors where traditional malware would probably have failed.
juicy crypto words
It looks like someone recently found another brand new attack vector, targeting carrier-grade MikroTik routers used by ISPs through an old vulnerability, and from there infecting about 200,000 Internet connections across Brazil and elsewhere.

The infection was discovered by Simon Kenin of Trustwave SpiderLabs on 31 July, when he picked up an unusual surge of cryptojacking activity in Brazil. He quickly ruled out a coincidence by noticing that all the infections were MikroTik network devices, and that all of the mining returns were going to the same entity.

By following tales of frustrated users, Kenin concluded that the Internet service providers themselves had their MikroTik routers compromised to mine cryptocurrency through their customers' computers.

The exploit itself was patched almost immediately after discovery on 23 April, but not all MikroTik users actually bothered to install the update.

By getting in through slacking ISPs, the attacker could hit all their customers, netting some 200,000 devices in short order. These devices would then inject the Coinhive mining script into web pages visited by the user.

To make matters worse for the victims, and better for the attacker, the attack also hit websites behind infected routers. So business servers using unpatched MikroTik routers and hosting websites would also cryptojack visitors to the site, regardless of where they were visiting from.

"Let me emphasise how bad this attack is," Kenin wrote. "The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.

"Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we're still talking about potentially millions of daily pages for the attacker."

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site