Abstract
The release of an efficient browser-based cryptominer, as introduced by Coinhive in 2017, has quickly spread throughout the web either as a new source of revenue for websites or exploited within the context of hacks and malicious advertisements. Several studies have analyzed the Alexa Top 1M and found 380 - 3,200 [5, 15, 18, 30, 31] (0.038% - 0.32%) to be actively mining, with an estimated $41,000 per month revenue for the top 10 perpetrators [18]. While placing a cryptominer on a popular website supplies considerable returns from its visitors' web browsers, it only generates revenue while a client is visiting the page. Even though large popular websites attract millions of visitors, the relatively low number of exploiting websites limits the total revenue that can be made. In this paper, we report on a new attack vector that drastically overshadows all existing cryptojacking activity discovered to date. Through a firmware vulnerability in MikroTik routers, cyber criminals are able to rewrite outgoing user traffic and embed cryptomining code in every outgoing web connection. Thus, every web page visited by any user behind an infected router would mine to profit the criminals. Based on NetFlows recorded in a Tier 1 network, semiweekly crawls and telescope traffic, we followed their activities over a period of 10 months, and report on the modus operandi and coordinating infrastructure of the perpetrators, which were during this period in control of up to 1.4M routers, approximately 70% of all MikroTik devices deployed worldwide. We observed different levels of sophistication among adversaries, ranging from individual installations to campaigns involving large numbers of routers. Our results show that cryptojacking through MITM attacks is highly lucrative, a factor of 30 more than previous attack vectors.
Original language | English |
---|---|
Title of host publication | CCS'19 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security |
Subtitle of host publication | Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security |
Place of Publication | New York |
Publisher | Association for Computing Machinery (ACM) |
Pages | 449-464 |
Number of pages | 16 |
ISBN (Print) | 978-1-4503-6747-9 |
DOIs | |
Publication status | Published - 2019 |
Event | 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 - London, United Kingdom Duration: 11 Nov 2019 → 15 Nov 2019 |
Conference
Conference | 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 |
---|---|
Country/Territory | United Kingdom |
City | London |
Period | 11/11/19 → 15/11/19 |
Keywords
- Cryptojacking
- Cyber threat intelligence
- MikroTik
- MITM
- Router