News broke this week that some 4000 websites around the world had been compromised with an infected script which had been forcing affected computers to mine cryptocurrencies for attackers. The most prominent of affected sites include the NHS, Student Loans Company, the Information Commissioner’s Office and multiple other government websites.
What is crypto-mining?
Cryptocurrencies are a form of decentralised digital currency which originally started with Bitcoin in 2009 as a ‘peer-to-peer electronic cash system’. Essentially it is a database of entries which cannot be edited or changed without verification from the network of users. Rather than using a bank as a middleman, the system connects consumers and suppliers to allow secure exchanges which are approved, verified and recorded by chain of computers in a blockchain. Cryptocurrencies have gained in popularity and infamy with their rapid value growth and decline in increasingly short timeframes. For those wishing to get involved with the currency, you can buy it outright, or you can earn it legitimately through crypto-mining.
Crypto-mining is essentially providing bookkeeping services to your chosen coin network, verifying the transactions as part of the chain and being paid in fractions of the digital currency. The process requires the investment in significant computing power and high-powered processors for users to generate significant amounts of digital currency. As a result, industrious cyber criminals have been finding ways to expand their bandwidth through crypto-jacking.
Crypto-jacking is when a computer’s CPU or GPU is unknowingly used as a power resource to mine cryptocurrencies. The hackers usually gain access to the users’ computer through vulnerabilities in third-party software installed on popular websites which allows the installation of the mining malware. After visiting the infected website, the computers processing power is hijacked to mine for cryptocurrencies.
Looking specifically at the Monero digital currency, Talos Intelligence estimated that an average system could generate $0.25 of Monero a day, which with 2,000 victim computers, could generate ‘$500 per day or $182,500 per year’.
Check Point’s 2017 Global Threat Index placed malicious crypto-mining in its top ten most common malware list due to its rapid growth and infiltration of many popular websites. The latest figures from Check Point’s research team suggest that 55% of organisations worldwide have been impacted in some way by crypto-mining.
What exactly happened this week?
Texthelp’s Browsealoud software had been installed on many websites to allow blind and partially sighted users to access the web by converting site text to audio. Attackers had compromised the JavaScript file within the third-party software which effectively installed the CoinHive miner on end user machines who visited the affected sites.
While Bitcoin is probably the most well-known cryptocurrency, there are now over a thousand virtual currencies available. This latest attack was mining the Monero cryptocurrency which is often placed in the top 20 lists of ‘altcoins’ now available.
”Crypto-mining is a new, silent, yet significant actor in the threat landscape, allowing threat actors to make significant revenues while victims’ endpoints and networks suffer from latency and decreased performance.”
Maya Horowitz, Threat Intelligence, Group Manager at Check Point
What are the risks?
In response, Browsealoud was temporarily taken offline as a precautionary measure and their CTO Martin McKay stated that ‘the risk was mitigated for all customers within a period of four hours’. However, this attack clearly shows how third-party software can introduce vulnerabilities to to your website and to your organisation.
The thirst for increased computing power and bandwidth required to mine significant amounts of digital currencies has encouraged cyber criminals to look beyond individual user computers and instead focus on major infrastructure firms instead. The critical infrastructure security firm Radiflow recently reported that crypto-jacking malware was discovered on its network and neutralised before their systems were compromised. The malware was designed to be ‘quiet’, leeching as much power from the system as possible without causing noticeable problems. However, the system could easily be overwhelmed by the increased processor and network usage which could cause ‘applications to hang or crash’, in industrial situations this could prevent an operator from controlling their plant.
What potential solutions are there?
This latest incident encourages us to look in more detail at the third-party apps, widgets, plugins and scripts we use on our websites as well as the websites we visit.
To mitigate the risks from this attack, simply adding a Subresource Integrity (SRI) security feature allows the browser to determine if the third-party script has been modified in any way. SRI performs an integrity check on any third-party script you come into contact with, verifying whether it is safe or if it has been modified.
Understanding the vulnerabilities your systems, applications and infrastructure has is key to ensuring they are not exploited. Penetration testing exercises are invaluable when it comes to securing and patching any gaps found.
