Unpatched router vulnerabilities were ripe for cryptojacking, but quick concerted collaboration saved the year.

Interpol, the international criminal police force, recently revealed the results of their six-month operation named Goldfish Alpha, to secure hacked routers in Southeast Asia.

In their press conference in Singapore, it said the operation resulted in a drop of cryptojacking operations in the SEA region by 78% as compared to the levels of June 2019. It all started when Interpol learned in that month that more than vulnerable 20,000 routers made by MikroTik had been hacked, and cybercriminals had been using them to mine cryptocurrency.

In the six months that followed, Interpol worked closely with members of national police and Computer Emergency Response Teams (CERTs) teams from 10 countries including Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam. 

Two companies from the private sector were included in the operation: The Cyber Defense Institute, and Trend Micro. They shared information analyses of cryptojacking cases and provided participating countries with guidelines for patching infected routers and advice on preventing future infections.

The National Cyber Security Center of Myanmar also issued a set of good cyber hygiene guidelines for protecting against cryptojacking. These guides were disseminated to law enforcement and CERT teams, which then contacted infected victims across their respective countries and worked with router owners to secure devices. When the operation concluded in late November, the number of infected devices had been reduced by 78%, Interpol officials said. Efforts to remove the infections from the remaining devices are set to continue.

First MicroTik routers; what next?

Trend Micro commented that illegal crypto-mining was the most detected threat in the first half of 2019. Hacking MikroTik routers and injecting crypto-mining scripts has been a popular practice among hackers since the summer of 2018, when a MikroTik router vulnerability had been disclosed publicly.

Since then, cybercriminals had hijacked and infected more than 200,000 routers with crypto-mining scripts. Said Niels Schweisshelm, Technical Program Manager at HackerOne: “Cryptojacking is an emerging threat that should be not be taken lightly, looking at the potential vulnerable devices worldwide that can be used to perform this attack. By exploiting unpatched devices such as routers or application servers running Oracle WebLogic, for example, it becomes possible for malicious actors to place their own code to mine crypto currencies on the affected machines. This results in the malicious actors being able to ‘steal’ processing power.”

According to Schweisshelm, this attack vector could be prevented by setting up a voluntary disclosure program (VDP) or bug bounty program where researchers can identify the typical vulnerabilities used by malicious actors to perform crypto-jacking attacks before they are exploited.

Proper patch management and identifying sudden energy spikes in CPU’s/GPU’s could also aid in preventing and identifying crypto-jacking attacks.