Cyber criminals have seen a golden opportunity in the meteoric rise of cryptocurrencies over the past year. They are harnessing devices – from laptops, to desktops, all the way up to servers – to mine cryptocurrencies such as Bitcoin or Monero. This malicious move, dubbed by some researchers as “cryptojacking,” has brought in profit for criminals targeting everything from the LA Times website to the San Diego Zoo’s website.
Carefully tracking these trends is security researcher Troy Mursch, who has been sounding off on any cryptojacking type of activity on his website, Bad Packets Report. We asked Mursch about his top concerns in the cryptomining space.
TP: You’ve been tracking cryptomining and cryptojacking trends for awhile now. What does cryptojacking mean for victims?
Mursch: In the past seven to eight months now, I’ve been closely following a new trend that’s unfortunately popped up in the security industry and it’s actually been aptly dubbed cryptojacking. Really what’s going on, to simplify it, is it’s a theft of computing resources. Miscreants are looking to steal your CPU power to mine cryptocurrency, which in turn, basically ends up being free money for them.
TP: Despite defenses again cryptojacking, the trend continues to grow along with the value of Bitcoin, Monero and other cryptocurrencies. Can you connect the dots on what’s going on?
Mursch: Yeah, the end of last year, the fourth quarter of 2017, we definitely saw a huge skyrocketing of cryptocurrency prices, especially Bitcoin, as you mentioned.
One thing that’s important to note with cryptojacking is that in most cases, it’s targeting another type of cryptocurrency called Monero which is more privacy focused – and has an obfuscated blockchain. So there’s really no tracing of transactions. And that anonymity for Monero miners makes it more attractive and lucrative for illicit purposes.
We actually have seen many high-profile [cryptojacking] incidents over the past seven months. And unfortunately, we continue to. It’s not a trend that’s going away. We’ve seen high profile incidents in September of last year, starting with Showtime, Politifact, and more recently, this year. There was actually a large incident in the United Kingdom where up to 4,000 websites were affected. Stories about cryptojacking still keep popping up in the news.
TP: Are there any cryptojacking incidents that have really stuck out to you?
Mursch: One of the most interesting ones to me, was when YouTube was affected [in January]. And that actually happened on one of the advertising platforms they use [Google’s DoubleClick]. We can’t really say it was compromised, because again, this code really is just JavaScript and [cryptojackers] were able to get the code into YouTube advertisements. And in that case, the code was actually running in many countries for almost a week.
The longer that that code is running in the background mining that cryptocurrency, the more money is going to be made for the miscreants or the hacker. So in the YouTube case, that was one of the longest duration. And unfortunately, in YouTube case, we never actually got any numbers from Coinhive on how much it actually made. But I’m assuming it’s definitely more than some of the previous cases like Showtime or PolitiFact or even the LA Times case where [the cryptojacking malware] was there just for a few days or even a few hours. We know in those cases, they didn’t make very much money.
TP: One campaign that stuck out to me, or I guess it was multiple different campaigns, were the campaigns popping up after Drupalgeddon 2.0. Can you talk a little bit about that, and if you’re still seeing those types of campaigns happening?
Mursch: Drupalgeddon 2 unfortunately was definitely a very large opportunity for some of these cryptojacking campaigns. And really, this was released earlier this year. Some sites are slow to patch, unfortunately. So in this case, with the Drupalgeddon 2, I found a lot of websites, interestingly, were run by government organizations, educational institutions, and really some other well-known brands and corporations. In those cases, they were running sometimes severely outdated versions of Drupal.
It’s just really unfortunate they’re going to have this vulnerability. I even published a list, and I said: “Hey, you know, these websites are out of date.” Despite that we’re still seeing issues. There’s actually one fairly large cryptojacking campaign that’s still going on right now. I’m actually still working with some of the service providers and law enforcement to shut it down.
We’re going to continue to see these [cryptojacking] vulnerabilities come up in content management systems. When site operators are not patching you’re going to get affected like this. And really, cryptojacking may not even be the worst case scenario. But it is a trend that we’re seeing again and again.
How can potential victims protect against these types of campaigns?
Cryptojacking is definitely something you can take-on from multiple angles. From the end user perspective, the average user with their web browser, I always recommend using a dedicated extension. Yeah, we do have ad blockers, they do block some of the cryptojacking scripts, but maybe your website depends on advertising revenue, so it’s not always the best solution.
In those cases, I recommend an extension such as minerBlock that’s frequently updated. That’ll stop the majority of cryptojacking from the end user perspective.
For website owners and operators, or system administrators, it’s a little more of a difficult task because you have to be monitoring and making sure you’re up to date with your content management system. But one thing I recommend in those cases is having some form of monitoring because, again, they’re looking to steal your CPU cycles. If you’re monitoring that resource, perhaps ahead of time, you can be alerted.