CoinHive, the malware behind the crypto jacking epidemic that is currently hitting the world hard, has infected over 11,000 routers in Iran, the country’s cybersecurity authority reports.
According to Iran Computer Emergency Response Team Coordination Center (Iran CERTCC), 11,363 MikroTik routers in Iran have been infected with the CoinHive, crypto jacking malware used for mining Monero.
Crypto jacking is a form of cyber attack through which hackers harness victims’ computer processing power to mine cryptocurrency on the hacker’s behalf. This form of malevolent cyber conduct has become popular with criminals.
Iran CERTCC says that Iran is the fourth hardest hit country by the cyber attack after Brazil with 81,848 cases reported, India 29,265, and Indonesia 23,143.
The most affected cities in Iran by the attack have been Tehran 606 infections detected, followed by Isfahan 244, Tabriz 144, Bushehr 88, and Khoy 40. Some of the compromised routers are owned by communication operators like Telecommunication Company of Fars, Asman Faraz ISP, and Pishgaman ISP.
CoinHive is a piece of software used, generally in-browser, by websites to borrow visitor CPU power temporarily in order to mine the virtual currency Monero. Widespread abuse of the script has led to many antivirus and cybersecurity solutions companies blocking the script.
The massive cryptojacking campaign which enslaves MikroTik routers and networking devices were initially detected on July 31, according to Trustwave researcher Simon Kenin, technology website ZDNet reported. According to cybersecurity researchers, the surge in the CoinHive epidemic is far from over.
At the time, Kenin noticed that all of the infected devices were using the same CoinHive site-key which indicates that all of the devices involved were mining for virtual gold on behalf of one controlling entity.
> MikroTik Vulnerability
Latvia-based MikroTik provides network equipment for customers worldwide.
The vulnerability which allowed the MikroTik routers to become cryptocurrency mining slaves was no zero-day; instead, it is CVE-2018-14847, a known security bug impacting Winbox for MikroTik RouterOS.
In the jargon of computer security, zero-day is when the interested party (presumably the vendor of the targeted system) learns of the vulnerability.
Through version 6.42 of the RouterOS software, remote attackers are able to bypass authentication and read and change files on the routers. The mass-exploit of these devices is not necessarily the vendor’s fault. The bug was patched within a day of discovery, but sadly, hundreds of thousands of devices have not been updated, leaving them vulnerable to exploit.
By utilizing the security flaw, the threat actor responsible for the crypto jacking campaign was able to compromise the routers to inject the CoinHive script into every web page visited by users.
This cyber attack campaign is yet another example of what can happen on a vast scale should electronic devices not receive security updates.
> CoinHive
CoinHive is a JavaScript code that allows website owners and cybercriminals to make money by using visitors’ computers to mine Monero, a highly profitable cryptocurrency.
According to a recent study by cybersecurity firm Check Point, CoinHive which is categorized as a malware by the company is the most prevalent malicious software online.
Computer hardware and electricity costs are the two main limits cryptocurrency miners face. By cryptojacking, miners can circumvent these limits.
CoinHive is not the only cryptojacking malware out there and others like Cryptoloot and Rocks have been detected. All these malware perform the same procedures.
Google has introduced several extensions for its web browser Chrome which after installation can protect computers from being targeted by cryptojackers.
In its statement, Iran CERTCC calls on all computer users to install up-to-date antivirus programs on their computers.
> Previous Attacks
This is the third major crypto jacking attack reported in Iran.
In May, Iran CERTCC issued an alert saying that a piece of cryptojacking malicious software had gone viral in the country.
The cybersecurity authority did not provide further information on the attack, however, at the time it was speculated that CoinHive was the malicious software used by hackers.
Earlier in February, the center reported that some local popular websites were “borrowing” visitors’ central computer processors to mine virtual coins without the visitors’ consent. Again CoinHive was used by the culprits.
