Cryptomining malware attacks are becoming the web’s most prevalent security threat
If ransomware was the most high profile threat last year, then cryptomining is well on the way to supplanting it as the greatest threat to web hygiene in 2018.
Instead of encrypting the contents of a computer and blackmailing victims into paying for a decryption key, cryptomining relies on installing scripts onto victims’ systems in order to mine cryptocurrency. The resulting funds go directly into swelling the wallets of crooks.
The most pervasive model comes from abusing a script created by Coinhive. Used legitimately, the Coinhive JavaScript offers an alternative revenue stream for website owners looking for an alternative to serving online ads to surfers. The software mines Monero currency directly within the browser.
Problems arise because of the perilous state of web security and the relative ease of injecting malicious code into websites. Cybercriminals quickly began exploiting existing injection techniques. Mainstream websites as well as more salubrious locales were abused to plant Coinhive scripts.
So-called ‘drive-by’ cryptomining attacks from these compromised sites offer a platform agnostic technique that forces visitors to a website to unwittingly mine for cryptocurrency. The problem is growing in prevalence.
I’m alright (click) Jack
Last month 4,000 websites – including those of numerous UK government organizations – were hit with a cryptojacking campaign. A malicious alteration to the BrowseAloud JavaScript library (normally a disability access technology) was used to mine Monero, as previously reported.
From May 2017 to February 2018, alerts for cryptocurrency mining traffic across the client base of infosec firm Secureworks rose from 15,000 to as much as 280,000.
Most identified cryptocurrency miners generate Monero. Unlike Bitcoin, Monero mining is feasible outside of servers and on mainstream PCs and mobile devices.
Dark web forums offer obfuscation, malware builders, and botnet access to hide criminal cryptomining.
Coinhive introduced a new API, AuthedMine, last October that explicitly requires user input for any mining activity to be allowed.
However, stats from security software firm Malwarebytes have revealed that the opt-in version of their API was barely used (40,000 per day) in comparison to the ‘silent’ one (three million per day) during January to February this year.
Coinhive developers dispute this, but the findings nonetheless cast a shadow over hopes the more ethical API would take off as a way of allowing website visitors to opt in or out before engaging in cryptomining.
Experiments in offering cryptomining as an alternative to ads by the likes of The Pirate Bay and others have largely proved ineffective.
Of course, none of this is a consideration for crooks. And as with any other profitable malware model, cyber criminals are continuing to innovate.
In several recent cases, such as an attack on the LA Times homicide site, Amazon Web Services configuration errors have been used to plant cryptominers in the targets’ S3 buckets.
These attacks are generally possible only because an S3 bucket used for content delivery was world writeable. Attackers could have delivered truly destructive malware (such as ransomware) using the same techniques.
Digging deeper
Web security firm Imperva last week reported on a new generation of crypto-jacking attacks aimed at both database servers and application servers. The malware, dubbed RedisWannaMine, features worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets.
Kaspersky Lab recently reported how hackers had begun to use tactics and techniques developed in running cyber-espionage attack to plant mining malware.
Mining malware is frequently offered under the guise of either cracked games or pirated software.
Like Secureworks, Kaspersky Lab reports that the growing availability of tools to build mining malware as well as partner programs are making it easy for would-be cybercriminals to get into cryptomining.