Crypto Miners Ate My Server
The news is filled with companies changing their names to things like “Long Blockchain” to boost their stock prices, and other seemingly ridiculous news stories as the financial word whips itself into a fervor over BitCoin, Cryptocurrencies, and the technologies behind them.
But they aren’t the only ones.
For a long time, the real initial hurdle to getting involved was the hardware and electrical costs associated with running the machines to mine these Cryptocurrencies, but as humanity has proven many times before, where there is a will there is a way. And hackers really, really, want that sweet Crypto-change.
Now, let’s add to that the current state of the internet. WordPress is still one of the most popular frameworks used on the internet today. It’s open-source nature and the wide variation in methodology between authors of its plugins have historically led to some rather glaring security holes created by framework issues, plugin interaction, and poorly-tested code. Usually, these are addressed relatively quickly and patched out, but when you also know that the majority of WordPress websites are not regularly updated or maintained, you can count on a whole host of easy to infect websites.
For the less ethically inclined, this presents a relatively unique opportunity.
And late last year, the less ethically inclined took advantage of that opportunity. In December, WordFence (one of the top security plugins and recovery services for the WordPress platform) detailed a record-breaking organized brute force attack.
As their article explains, they had the unique opportunity of having access to one of the compromised servers in the botnet (the network of compromised devices running semi-automated tasks for the attacker). They were able to map a small segment of the botnet and glean some information about the purpose and methods of the attack. It was attempting to brute force as many servers as possible and install crypto-mining software on them, while balancing this effort with continuing to spread the reach of the botnet. The attack used several wallets, but one of them was worth $100,000 as of December 19th.
In many places the Miner masquerades as more benign and useful utilities like jQuery or Bootstrap, and the more interesting variations will open the Miner in a new browser window, and hide that window behind your system clock, making it hard to notice if you are not carefully tracking what applications are open at any given time.
I am interested to see where this trend in malware evolves in 2018, but for the moment, I’d like to leave you with two helpful tips:
- Mining Cryptocurrency is hardware intensive. If someone is using your computer to mine, it is relatively easy to determine if you know what to look for. Web browsers tend to use a fair bit of memory, but not a lot of CPU; if you use Windows, you can open your task manager (CTRL + SHIFT + ESC for Windows 10/8, CTRL + ALT + DELETE for Windows 7) to see how much of your CPU and Memory each running application is using. On Windows 10/8, you may have to click “More Details” before that information is visible. Keep an eye on your web browser if you suspect things are running more slowly than they should be. As always, be careful with the task manager, as you can accidentally terminate vital system processes.
Have any thoughts on this growing trend of malicious Crypto Mining? Did Crypto-Miners eat your server? Let us know below: