Crypto Miners Ate My Server

Stephen Kennedy - Lead Web Developer

The news is filled with companies changing their names to things like “Long Blockchain” to boost their stock prices, and other seemingly ridiculous news stories as the financial word whips itself into a fervor over BitCoin, Cryptocurrencies, and the technologies behind them.

But they aren’t the only ones.

For a long time, the real initial hurdle to getting involved was the hardware and electrical costs associated with running the machines to mine these Cryptocurrencies, but as humanity has proven many times before, where there is a will there is a way. And hackers really, really, want that sweet Crypto-change.

In what seems to have been a perfect storm for this kind of attack, a few things have happened over the last year to set the stage. First of all, some new Cryptocurrencies were developed specifically to be mined by CPUs, allowing more traditional and widely available hardware to contribute to organized money-making efforts. Second, a JavaScript Crypto Miner (developed by the company Coin Hive) was developed so that webmasters could use visitor's computers to mine and offset some hosting costs. And in the background waiting, there are a frightening number of virtual servers in the cloud (Google Cloud Services, AWS) where users are forgetting to replace the default passwords.

Now, let’s add to that the current state of the internet. WordPress is still one of the most popular frameworks used on the internet today. It’s open-source nature and the wide variation in methodology between authors of its plugins have historically led to some rather glaring security holes created by framework issues, plugin interaction, and poorly-tested code. Usually, these are addressed relatively quickly and patched out, but when you also know that the majority of WordPress websites are not regularly updated or maintained, you can count on a whole host of easy to infect websites.

For the less ethically inclined, this presents a relatively unique opportunity.

And late last year, the less ethically inclined took advantage of that opportunity. In December, WordFence (one of the top security plugins and recovery services for the WordPress platform) detailed a record-breaking organized brute force attack.

As their article explains, they had the unique opportunity of having access to one of the compromised servers in the botnet (the network of compromised devices running semi-automated tasks for the attacker). They were able to map a small segment of the botnet and glean some information about the purpose and methods of the attack. It was attempting to brute force as many servers as possible and install crypto-mining software on them, while balancing this effort with continuing to spread the reach of the botnet. The attack used several wallets, but one of them was worth $100,000 as of December 19th.

But, that is only the beginning. As Security Researcher Troy Mursch outlines for us, 2017 was the year of organized and sophisticated attacks designed to do one thing: to take the Coin Hive Miner and place it in as many websites as possible, and these attempts were not solely centered on low traffic easy to compromise sites. The Coin Hive JavaScript existed for a length of time on Showtime’s Anytime service, PolitiFact, UFC’s Fight Pass service, Everlast Worldwide, and has been reported in multiple Browser Extensions for Mozilla FireFox and Google Chrome.

In many places the Miner masquerades as more benign and useful utilities like jQuery or Bootstrap, and the more interesting variations will open the Miner in a new browser window, and hide that window behind your system clock, making it hard to notice if you are not carefully tracking what applications are open at any given time.

There are modest steps being made to make the Coin Hive Miner less easy to abuse. The company is terminating the accounts of people it suspects of abusing the service, and the newest version of the JavaScript requires the user to opt-in before starting to mine; but as of December 24th, the old JavaScript and its numerous derivative scripts are still functional.

I am interested to see where this trend in malware evolves in 2018, but for the moment, I’d like to leave you with two helpful tips:

  1. Mining Cryptocurrency is hardware intensive. If someone is using your computer to mine, it is relatively easy to determine if you know what to look for. Web browsers tend to use a fair bit of memory, but not a lot of CPU; if you use Windows, you can open your task manager (CTRL + SHIFT + ESC for Windows 10/8, CTRL + ALT + DELETE for Windows 7) to see how much of your CPU and Memory each running application is using. On Windows 10/8, you may have to click “More Details” before that information is visible. Keep an eye on your web browser if you suspect things are running more slowly than they should be. As always, be careful with the task manager, as you can accidentally terminate vital system processes.
  2. The best defense is always preventative. A lot of major Ad-Blockers are moving to stop this kind of thing. Two that currently block the Coin Hive Miner are uBlock Origin and No Coin. With the latter's goal being only to block JavaScript miners, it may be the better choice if you find Ad-Blockers ethically unappealing.

Have any thoughts on this growing trend of malicious Crypto Mining? Did Crypto-Miners eat your server? Let us know below:

Thursday January 25th, 2018#cryptocurrency #malware #javascript