Hackers use organizations’ resources for stealthy cryptocurrency mining

Hackers lusting after cryptocurrency but not wanting to spend money to buy it or mine it are targeting users wallets, computers, popular Web sites and public cloud computing environments.

Mining software/malware is a well known pest, and instances of employees using their company’s or organization’s computer resources to surreptitiously mine cryptocoin are regularly uncovered. But lately we’ve been witnessing a number of inventive strategies employed by cryptocurrency-hungry attackers.

Cryptocurrency mining in the browser

A few weeks ago, it was discovered that several Web sites of CBS’s subsidiary Showtime have been equipped with Monero-mining JavaScript code supplied by Coinhive. Visitors to those Web sites had their computer’s CPU power roped into mining the cryptocurrency by unidentified attacker who introduced the script into the site’s source code.

A security researcher’s scan of the million most popular Web sites revealed that many sites use this and other similar scripts legitimately (they inform their users about it). Unfortunately, there are also many that seem to have been compromised and equipped with the script surreptitiously.

“The BBC contacted several of the sites in the UK running the Coin Hive script and those that responded said they did not know who added it to their site. Some have now deleted the mining code, updated their security policies and are investigating how the code was implanted,” the news outfit noted. Among these are file-sharing, charity and school Web sites.

Coinhive – a legitimate project that provides the JavaScript code to website owners and keeps around 30% of the value of the mined Monero to keep functioning and turn a profit themselves – wants site administrators to disclose their use of the code to the visitors. Unfortunately, they have no way to enforce that requirement.

The team behind the project said they will be developing an implementation that requires an explicit opt-in from the end user to run. Also, they’ve been banning accounts of users who misused their script.

Many ad-blockers are already blocking the Coinhive script, and Cloudflare has begun suspending the accounts of sites that deploy cryptocurrency miners on their platforms.

Exploiting unsecured cloud computing environment

In a recent report about cloud security trends, security outfit RedLock told of a number of instances of attackers using organizations’ cloud computing resources to mine Bitcoins.

“The investigation began when the RedLock CSI team found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected. These instances were effectively open to the public and created a window of opportunity for hackers,” the company explaned.

“Upon deeper analysis, the team discovered that hackers were executing a Bitcoin mining command from one of the Kubernetes containers. The instance had effectively been turned into a parasitic bot that was performing nefarious activity over the internet.”

Among these Kubernetes administration consoles they found some belonging to large multinational corporations such as Aviva and Gemalto.

In Aviva’s case, the console was also leaking critical infrastructure passwords such as AWS access keys and secret tokens.

“The attacker had created a randomized email address (didi123123321@gmail.com), which was difficult to trace back to a specific entity,” the researchers noted, and pointed out that it is very likely that the attacker has automated exploitation of misconfigured Kubernetes consoles.