At CviaD, we believe that beyond providing web and interactive services, we have a responsibility to keep our clients informed about large-scale trends that have the potential to impact their business. Over the past year we’ve seen such a trend involving the rise of sophisticated networks of “cryptohackers” targeting all manner of publicly accessible systems and software. We want our friends and clients to be informed about this threat so that they can take the appropriate steps to keep their data and services secure.

What are cryptohackers?

With the increasing interest in cryptocurrencies, such as Bitcoin, Ethereum, and Monero, criminal syndicates and even state actors, such as North Korea, are looking for ways to profit from these burgeoning, and largely unregulated markets. These groups have begun employing large teams of hackers to identify and exploit vulnerabilities in popular software and hardware platforms. Their goal is to clandestinely install software that generates, or “mines,” cryptocurrencies onto thousands of publicly accessible computer networks and websites. Sometimes this software mines currency on the server itself, while other times it causes website visitors to download a piece of code that begins mining currency on the visitor’s desktop or mobile device. Often this software runs undetected for months or years, periodically connecting with the hacker’s network or cryptocurrency marketplace to sell the mined currency, which is then credited to the group’s account.

Haven’t hackers always been a problem?

Hackers have long targeted various types of hardware and software, sometimes in order to steal data, and sometimes to steal other resources, such as bandwidth for hosting illicit websites. In the past, such hackers tended to be rather unsophisticated and disorganized. Often times their attacks were limited to prominent websites, and were often relatively easy to diagnose and defend against. It was also not uncommon to see a website with significantly outdated software that had never been hacked, merely because the website was small enough, and lucky enough, to never be targeted.

So how is this threat different?

Cryptohacking has quickly reached a scale and level of sophistication never before seen. The large profit margin of cryptocurrency has provided the means and incentive for these groups to develop massive networks of compromised systems, known as “bots”, which can be used to search for, infect, and leverage other vulnerable systems, thus continuously increasing the size of the hacker’s network. Criminal syndicates and state actors are also able to employ large numbers of skilled hackers to analyze codebases and to probe systems for new vulnerabilities. The average time between when a vulnerability is found by security experts, and when it is exploited by hackers, has shrunk from months to days or even hours, and hackers are increasingly finding vulnerabilities before they are discovered by security experts.

Who is vulnerable?

Unlike in the past, when hackers tended to focus on particular systems, cryptohackers have spread a wide net. In the past year, nearly every type of software and hardware system has been targeted, including:

  • CPUs, including Intel and AMD
  • Smartphones, including Android
  • IoT (Internet of Things), including web-connected refrigerators, light bulbs, and cars
  • Server software, including Microsoft and Oracle WebLogic
  • Operating Systems, including Windows 10
  • Browsers, including Microsoft Edge
  • Productivity software, including Microsoft Word
  • Content Management systems, including WordPress and Drupal

Any system that has not been updated to close known vulnerabilities is a possible target, and those that have already been hacked can often continue to harbor backdoors through which hackers can maintain control over the system.

Why should my organization care if crytohackers mine currency on our systems?

There are a number of serious risks associated with having malicious code installed on your system. Such code can easily be used to access your organization’s privileged data, including personal information and passwords, or to take your organization’s data hostage. Public systems that have been compromised can also provide a route for hackers into your other systems, including those that would otherwise not be exposed. Hackers can target your users and customers, adding malicious payloads to emails, files, etc. which can then be spread internally. Beyond the security threat, mining of cryptocurrencies is an intensive process, which can slow down your systems, and damage your hardware.

What can my organization due to counter this threat?

While developers of hardware and software systems race to close vulnerabilities, the primary defenses against cryptohacking remain: ASSESS > HARDEN > UPDATE

What does “assess” mean?

We recommend that our clients take this opportunity to review their systems to ensure that all software and hardware is being actively maintained. For web systems, this means understanding your technology stack, and identifying which party is maintaining each layer. For example, for clients who host their website with a managed host (such as Knownhost or LiquidWeb), much of the technology stack, including the virtual machine, Operating System, web server, database server, and application layer, is typically maintained and kept up-to-date by the hosting company. Any custom software though, including content management software and website code, is typically the responsibility of the client.

What does “harden” mean?

Most software, including popular web content management systems, is not particularly secure out-of-the-box. Systems such as WordPress have features and areas of functionality that may be vulnerable, or may increase the risk or scope of other vulnerabilities. For example, every WordPress site should have a firewall to limit malicious traffic, and should have certain features turned off, or reconfigured, to make hacking as difficult as possible. WordPress should be configured to use a more robust password scheme than the default MD5 scheme, which can now be easily reversed to reveal passwords.

What does “update” mean?

All software requires periodic maintenance and updates. While some updates are performance or feature-related, and can be installed at the discretion of the client, others are critical and should be installed as soon as possible upon release. No longer can organizations cross their fingers and hope that an unmaintained website will remain fully functioning and un-hacked for years on end. Those who continue with this strategy will find their websites compromised quickly, if they are not already compromised. For example, it is estimated that over 70% of WordPress websites are currently vulnerable to known hacking methods. A single critical vulnerability last year resulted in more than 1.5 million of these sites being hacked.

How can we help?

At CviaD we know that it can be challenging for small and medium-sized organizations to stay on top of such trends, and to understand the necessary steps to take to secure their websites. Cryptohacking represents a sea change in the industry, one that necessitates a new way of thinking about and planning for website development and maintenance. We can help. We offer hardening services, as well as maintenance and management (M+M) plans for popular web and mobile platforms, including WordPress, Drupal, and Joomla. Our plans include both scheduled updates, as well as critical updates, and ongoing support to ensure that your users can continue to enjoy your services safely and securely.

If you are already on CviaD’s M+M plan, rest assured that we will be there, every step of the way, to help your organization understand and adapt to this changing landscape. If you have any questions, please let us know, and we’ll be happy to discuss this new threat and your current website environment in more detail. If you are not currently on an M+M plan and would like to discuss the full scope of services offered, let’s talk!

Sources

https://www.forbes.com/sites/thomasbrewster/2018/01/31/100-million-opportunity-for-criminal-monero-cryptocurrency-miners/#40bce8eb4684

https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/#aaded7f39328

https://www.engadget.com/2018/02/12/cryptocurrency-mining-site-hijacked-millions-of-android-phones/

https://www.zdnet.com/article/windows-10-security-google-exposes-how-malicious-sites-can-exploit-microsoft-edge/

https://thenextweb.com/artificial-intelligence/2018/03/07/hackers-can-use-cortana-to-open-websites-on-windows-10-even-if-your-pc-is-locked/

https://www.scmagazine.com/researcher-microsoft-word-feature-can-be-exploited-to-display-videos-that-mine-cryptocurrency/article/745766/

https://www.zdnet.com/article/a-giant-botnet-is-forcing-windows-servers-to-mine-cryptocurrency/

https://www.darkreading.com/vulnerabilities—threats/oracle-weblogic-exploit-used-in-cryptocurrency-mining-campaign/d/d-id/1330791?

https://www.wpwhitesecurity.com/wordpress-security-news-updates/statistics-70-percent-wordpress-installations-vulnerable/

https://threatpost.com/1-5m-unpatched-wordpress-sites-hacked-following-vulnerability-disclosure/123691/