CyberWire Daily - Cryptojacking injections heat up. [Research Saturday]
Episode Date: March 17, 2018There's been an epidemic of cryptojacking code injections recently, as bad actors attempt to cash in on the cryptocurrency craze through unauthorized cryptomining operations on unsuspecting users. M...arcelle Lee is a threat researcher at LookingGlass, and she takes us through her recently published research, Cryptojacking — Coming to a Server Near You. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
There's a variety of ways that this can happen. What it boils down to basically is code injection.
That's Marcel Lee. She's a threat researcher at Looking Glass, and today she's discussing
her recently published research, CryptoJacking, coming to a server near you.
Code injection has been around for a long time. It's nothing new.
And there's many different ways to leverage it.
But basically, attackers are just able to inject code onto different websites.
And it's because there's some vulnerability in that website.
It's one of the most common of the OWASP top 10 list.
I think it used to be number one.
I'm not sure if it's still number one.
But yeah, injection is not a new thing by any stretch.
So when we're talking code, we're talking JavaScript code here?
Well, in the case of the CoinHive miner, that one is written in JavaScript.
So it depends.
I mean, you can write code in anything, right?
But the CoinHive miner that seems to be the most popular one right now is based on JavaScript.
So let's just back up a little bit and just give us a definition here.
What are we talking about when we say cryptojacking?
So cryptojacking, my definition of it is the illegitimate mining of cryptocurrency.
And it can be done a lot of different ways through a browser, through a mobile app, lots of things.
And I say illegitimate because you can certainly have coin mining activity on your website like you could run it on cyber wire's website if
you wanted to um and just have it as a way to make money and some people even say oh well you know
it's we're doing that instead of ads so that's just how we're making our our extra dollars so to
me that's sort of the difference between legitimate and illegitimate but even if you're running it
like intentionally on your website in my opinion opinion, like ethically speaking, you should still have like an opt in, opt out thing for your site visitors, which I have seen on some sites just where you can say, sure, I don't mind mining some cryptocurrency for you.
Yeah, I remember, you know, years ago, and I think it's still active, there was the SETI project analyzing radio signals from space to try to find intelligent life.
And you'd give them permission to use your extra processor cycles at night, and everyone was okay with that.
It was a little different than what we've got today.
A little bit.
If I had had a charity, well, I have a lot of charities that I like, but, you know, say I have a charity that I like and they're doing cryptocurrency mining, then I might be like, OK, sure.
I'll just let you mine all night long while I'm sleeping and it's not impacting my use of the computer.
But I haven't seen a lot of that, unfortunately. And then I guess that is the point, though, that you are using people's computer resources, which involve you using electricity,
you're using, I suppose,
it could be wear and tear on the machine by having it run full capacity.
And these folks generally aren't asking
for permission ahead of time.
Correct, correct.
And it really does make a huge impact
on just your CPU usage and all that sort of thing.
Like in the testing that I did, my CPU usage went up 500%,
like pretty much instantly.
And that is a fairly steady and sustained increase.
It doesn't drop off until you stop the mining activity.
So that can be impactful.
And the research I've seen on mobile apps,
although I haven't tested it on a mobile device myself,
just shows generally it's going to impact those devices even more from the wear and tear standpoint.
Yeah, the heat and also it would really drain your battery quickly, I suspect.
Exactly. Like the first testing I did actually was on a laptop and the laptop, I mean, you can hear the engines or the fans spin up right away,
the fans. And the laptop got so hot, so fast that like it was literally burning my legs.
It's like, oh, I need to do this at a table or something. It's pretty significant, the impact.
Yeah. So let's run through some of the things you discovered, some of the various
flavors, I suppose, of cryptojacking. And one of the things that you point out in your research
is that this isn't just happening in your browser. You found it in some Oracle WebLogic application
servers. Yep, that's correct. And that's been fairly widely reported on now. And that was
basically leveraging an input validation vulnerability. So again, it's just another injection type thing.
That was earlier this year, I think that came out.
And then since then, like more recently, not even in my research, was Tesla's cloud, which is an Amazon S3 bucket.
Not too terribly surprisingly.
That one was impacted as well.
So mining and also some data loss there, data leakage.
There's been some government sites have been hit recently.
In the UK, the National Health Service.
Right.
Also in Australia, I forget which government agency, but they've experienced it too.
Australia, I forget which government agency, but they've experienced it too. But I mean, it's pretty common to see cyber attackers or criminals or however you want to refer to it,
to just basically look for vulnerable sites. And often it doesn't even matter what that site is.
But in this case, they're going to want sites with maximum traffic just to increase that
potential for making some income off of the mining.
Yeah, it was interesting in that UK example because it was really a third-party provider.
I believe it was an accessibility plug-in for the websites.
And so the folks who were the original hosts of those sites um you know were doing all the right things but
it was this third party who got attacked yeah exactly and um i mean it's it's through like
apps and just sort of those side things that are running on a website sometimes that where that's
coming in i've seen it in also social media like uh digimindine was getting spread around on social media and that would basically
infect your Facebook account and then spread to your Facebook friends and so on and so forth.
So it's interesting because these miners are often part of like another whole kit of things. So
it might be mining, it might be stealing passwords, it might be mining it might be stealing passwords it might be doing all different kinds
of things at one time and what we're seeing is that whereas ransomware well i don't want to say
ransomware is on the decline because something terrible will like happen tomorrow i know right
but uh crypto jacking seems to be definitely on the uptick. Like the rig exploit kit,
which is traditionally kind of known for ransomware,
is now gearing up to do more of the cryptojacking thing.
So it's interesting.
I think it's probably a lot less effort to do cryptojacking
than it is to do ransomware,
just because you don't have to go through the whole role
of collecting ransom and so on and so forth.
Yeah, I guess there's less infrastructure.
There are less things you have to support with having to get the money and so on and so forth.
Also, one of the things that leaves me scratching my head about cryptojacking,
in your example of having botnets, for example, doing mining for cryptocurrency,
I can imagine a video camera mounted on a wall in a warehouse somewhere,
and someone takes advantage of that camera to do some crypto mining.
And as long as that camera still functions as a camera, no one's going to notice.
Right.
And so it could just go about, I suppose it would use more electricity,
and as we said, it could run hotter and maybe reduce the life of the device and so on. But it's not really affecting someone
in the way that ransomware is. One of the things that that leaves me scratching my head is,
why don't these crypto miners, why do they go full out and try to grab all of your processing
capability? Why don't they dial it in and say, all right, we're only going to use 25% because if we
only use 25% or 50% or whatever, there's much more likely that we won't be noticed.
Right, exactly.
And that's a good question.
And I think the answer is maybe just not that much thought was put into some of these miners.
But I've definitely seen like in our testing just
looking at you know the traffic there are settings that you can put in there for like throttling the
speed or you know detecting whether it's a mobile device or not a mobile device things like that so
i mean they are pretty customizable it's just you know a lot of times people use stuff right out of
the box right right so Right. So to speak.
But there's definitely customization and optimization options.
Well, I suppose, too, that it's possible that they are using those options and those are the ones that aren't being discovered because they're not drawing attention to themselves.
When I initially did my testing, I found over 7,000 sites that were running coin hive miners, which is a lot.
And just this morning, for grins and giggles, I searched again, not specifically for coin hive, but just for any miner activity.
And do you want to take a guess at how many sites I found today?
So you found 7,000 before.
Oh, gosh. Let's's go crazy let's double it
and say 14 okay it's actually 40 or 0 000 sites that have some sort of mining activity and there
might be a few uh outliers that aren't really doing that maybe it's just a site that's talking
about doing it or whatever but um now when you say you search, what does that entail? How do you do that?
Oh, right. So it's nothing magical. There's actually a pretty awesome website that I use
for this kind of research called public www.com. And it allows you to basically search source code
in websites. So it's a pretty awesome tool.
Yeah.
I just put in a little code snippet that would be actually generic to really any miner.
Yep, over 40,000.
Wow.
So in addition to running in browsers,
we're seeing apps show up on the Google Play Store
that are miners as well.
Yes, yes.
In fact, the one that I saw was actually like a
wallpaper app. And I always tell people, like, there's always malicious apps, right? And typically,
it seems to be flashlight apps are notoriously bad. I'm not sure if there's any flashlight
miners out there, but I bet there probably are. And then, yeah, like I said, this wallpaper one,
so you know, you just want some pretty pictures for your background or whatever,
and you get some mining along with it.
So that's what I would consider a trojanized app
because you're not signing up to mine,
most likely, when you downloaded that app.
So tell me about some of the things you discovered
where people were hijacking Wi-Fi hotspots.
That was a really interesting thing, and I've actually only seen the one example of it that happened, I think, in Buenos Aires. The attackers were using a tool called Coffee Miner,
which is a man-in-the-middle tool, and it basically hijacks when the patrons,
in this case, at Starbucks, when the patrons tried to connect to the Wi-Fi hotspot,
in this case, a Starbucks,
and the patrons try to connect to the Wi-Fi hotspot,
it injects this code,
and then basically everything that they do that's on HTML sites is running the code.
So again, I've only seen the one example reported of that,
but the CoffeeMiner tool is definitely out there.
Yeah.
Take us through what you discovered
with the Zealot malware campaign.
Oh, so Zealot malware campaign. leveraged the eternal blue eternal synergy exploits and basically used that and targeted
windows and linux systems and could basically just send up requests via http on these infected
servers but it did other things like i think that one was also extracting credentials and doing some propagation within the network.
So that one I didn't actually study myself.
I just read about it.
Yeah, so it's sort of in the bag of malware tricks.
Crypto jacking is one of the things, I guess, one of the common things in these multi-talented kits.
Crypto jacking is becoming a standard tool.
Yeah, exactly.
And that's what I was saying before, like with the exploit kits or like remote access
tools that have sort of a variety of features, if you will.
Cryptocurrency mining just appears to be like another thing that's getting thrown into the
mix.
Right.
And so what exactly are you finding?
Just statistically, how bad is this is if if a
crypto miner is running on my on my computer am i likely to notice yeah you are likely to notice
because like i was saying before with my own testing the fans will fire up pretty quickly and
and you'll if you're having to be paying attention to your cpu
you will see a sharp spike in that it's noticeable but then again you know it's noticeable if you're
maybe looking for it if you're not aware or just not paying that much attention to it then you
might not notice or i would say the average person probably isn't going to have the slightest idea
that it's mining activity right they might just think, I'm streaming a video and it's taking a lot of energy or whatever.
Time to buy a new computer, right?
Something like that.
But so if you do notice that, what should you do?
There's a couple of different things you can do.
What I personally do is use a browser extension that blocks mining activity.
And there's quite a few of those out there.
And they're available.
Like I've seen them for Chrome, Firefox, Microsoft Edge.
I think Opera just came out with one as well.
So it's just something you install in your browser that detects and blocks the activity.
Which is interesting because then you get to see which sites, of course, because it will pop up and say blocking their activity.
Also, antivirus might pick it up.
That's kind of iffy because there's just so many variables.
But I have seen a couple of different antivirus engines that detected some of this activity.
And again, it kind of just depends on the vector.
What about how they're serving this up through ad networks?
Are the folks who are
running the ad networks, are they being complicit in this? Well, I can't say whether they're being
complicit or not, but I mean, they certainly could be, or they might also just be victims as well.
Like the thing we were talking about with the UK sites, you can inject stuff almost everywhere,
right? It just depends on the level of security
and how well that code is written.
And again, you know,
it's not necessarily done maliciously.
It might just be to make money.
One site like Pirate Bay,
I think most notoriously was serving up
the cryptocurrency mining
without their user's permission.
And it was discovered,
but they were like well
i don't care so you know they just carried on doing it and so you know then it becomes one of
those things from the user it's like well do i still want to go to pirate bay and take that
cryptocurrency mining along with it maybe i do maybe i don't you know it's kind of a decision
that you make but like i said most sites you're not going to see it or know it.
I think it's interesting, too, because we saw, I can't remember the site, but as you mentioned earlier, there was a site that said, you know, if you're running ad blocker, we're going to run cryptocurrency mining in the background.
Are you okay with this?
I guess the question I have for you is, well, if I don't't want to see ads should I be okay with the crypto mining?
Is it necessarily a deal killer?
Well I don't really like to see ads or do cryptocurrency mining.
Yeah so I mean I have a mining blocker
and I also have ad blockers so you know some sites.
I guess if you're but if you're sympathetic to to the fact that that these folks are a business and are trying to make, you know, trying to desperately trying to make money on the Web, which is getting harder and harder to do.
I guess. Should we have any sympathy for them trying to go at it this way?
So I would say it depends. Like for me, it would totally depend on the website, right? So there's different news outlets that, you know, they'll say, oh, we see you're using an ad blocker.
Would you please unblock?
Because this is how we make our money.
I think the Guardian does that.
For them, I might, you know, allow those ads.
And probably the same thing with the mining.
I mean, chances are I'm not going to be on any one website that long that it's really going to make any kind of significant impact.
Where you see more of an impact is, say, you're streaming media or something and you're mining at the same time.
That's going to make a big difference.
And in fact, even the CoinHive website talks about, you know, in order to optimize your returns on this,
in order to optimize your returns on this,
it makes sense to inject it into sites where there's going to be that prolonged connection
and communication with the user.
Oh, I see.
Yeah.
And is this the sort of thing,
like speaking about CoinHive,
if I decided that I wanted to be someone
who profits from mining on other people's machines,
are these things available as a service?
Is this a relatively easy thing for someone to spin up and do?
Yes, actually.
So plenty of code out there,
but I've seen even WordPress plugins
where if you want to add this functionality to your WordPress site
or to somebody's WordPress site,
there's lots and lots of what I would consider
pretty much legit things, you know,
because like many things in this field,
like CoinHive, they've pretty much said,
hey, we built this not ever thinking
that it was going to be used maliciously.
But, you know, that train has obviously left the station.
And it's the same with all the other ones too
you know so i'm sure whoever wrote the wordpress plugins is probably like oh this is a cool thing
and then it gets reappropriated yeah unintended consequences yes the cryptocurrency that i'm
seeing mostly which is monero and as you know most people when they think of cryptocurrency
they think of cryptocurrency,
they think Bitcoin.
It's like synonymous in their minds.
But there's many, many different cryptocurrencies.
And Monero is kind of interesting because it's based on the CryptoNote cryptocurrency protocol.
And it's very different from Bitcoin in that the wallets are completely private. So whereas with Bitcoin, you can look up a wallet address
and see all the transactions. You can't do that with Monero. It's just a completely different
algorithm. So we're definitely seeing a sort of an increase of usage with cyber criminal activity
because of that. And I would say that personally to me, I've seen where Monero has really spiked
or jumped up in value over the past few months.
CoinHive came out, I think, around September of last year.
And since then, Monero has gone from like 100 something to it's like 300 today.
So it's gone up quite a bit.
It might be a good investment.
I don't know.
Right.
You're not technically a financial advisor,
so listeners should not take financial advice. Right. So it's the coin of choice because it
provides that anonymity that Bitcoin does not. Exactly.
Our thanks to Marcel Lee for joining us. You can read her complete report,
Crypto Jacking, coming soon to a server near you,
on the Looking Glass website. It's in their blog section.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.