Threat Management, Malware

Silent Monero miners here to stay and steal your CPU cycles, and soon GPU cycles

A recent uptick in the use of silent cryptocurrency miner attacks that unsuspectingly exploit a users' CPU cycles to mine Monero has shown that everyone from Pirate Bay browsers to Showtime customers are vulnerable to having their computing power stolen at the cost of their electric bill.

Between January and August 2017 IBM X-Force team researchers noted a six-fold increase in attacks using embedded mining tools that utilize coin central processing unit (CPU) mining tools, and to a lesser extent graphic processing units (GPU), to specifically targeting enterprise networks.

ESET researchers spotted a botnet of several hundred servers infecting unpatched Windows webservers using the CVE-2017-7296 vulnerability to inject users with a legitimate open source Monero mining software called xmrig. The network has been active since at least May 2017 and the infected machines have pulled in more than $63,000. 

Recently, a new legitimate cryptominer has been spotted on various websites and is raising concerns about user consent.

Last week, a legitimate JavaScript cryptominer developed by Coinhive was intentionally used on Pirate Bay to help generate revenue in an effort to wean the sites dependency on ads. This Monday, CBS's Showtime silently removed the same JavaScript miner from its sites and although is unclear how the Showtime sites became infected, web analytics company New Relic said the code for the miner appeared to have been added by the websites developers.

The technology behind these attacks is fairly new and cybercriminals and legitimate companies alike are jumping at the opportunity to find new ways to profit from them, Webroot Senior Threat Research Analyst Tyler Moffitt told SC Media.

“Free games or online services that don't like to use ads have always struggled to find the cash to support user traffic, developers and staff,” Moffitt said. “In some eyes, this is that answer.”

Moffitt said the implications of being able to have every visitor on popular sites secretly contributing processing power to hash cryptos is huge and that the miner technology offers a lot of money to be made at the expense of a site visitor's electric bill.  

The algorithms that power the JavaScript miner are also well suited for running on a consumer's CPU, Imperva Incapsula Application Security Research Team Leader Nadav Avital told SC Media.

Although there is a relatively high return on investment for threat actors injecting theses miners onto sites, the attacks aren't completely without problems.

“Infecting a web server with a miner that runs on the server, while very efficient in terms of ROI, is less efficient in terms of persistency as mining cryptocurrency involves heavy mathematical computations that hogs the server's CPU,” Avital said.  “Since the server's CPU is constantly monitored, such attacks are easily discovered”

While Coinhive is taking steps to prevent the abuse of its technology on unsuspecting users, some researchers aren't confident it will prevent cybercriminals from exploiting the newfound revenue stream.

“Coinhive has already received lots of feedback and their blog reports that they're working on a way to implement a user required "opt-in" before being allowed to mine,” Moffitt said. “This would ideally prevent abuse, but who's to say hackers can't spoof that down the road. “

Fortunately there are free browser add-ons and extensions like ad block that will prevent the script from unexpectedly running on a user's device. For sites that intentionally run the miners, some researchers believe there should be legislation mandating disclosure.

“Using end users' CPUs without their knowledge and their consent is pure theft,” Avital said.  “Regulation should make it clear that sites need to get users' consent before using such technology.”

And while it will be a while, if ever, before legislators make an effort to regulate the use of cryptominers that can be used on the devices of others, researchers agree sites should do their job protecting web server or web applications that could allow their sites to be compromised by third party miners.

Currently the miners aren't profitable enough to warrant the use of zero-days so keeping up with web server security updates should be enough to avoid getting infected, Tripwire security researcher Craig Young told SC Media.

“Any site with a stored cross-site scripting vulnerability will be particularly exposed to the threat of JavaScript cryptomining malware like Monero, so it is crucial for administrators to implement an appropriate Content-Security Policy (CSP) to further reduce exposure to XSS,” Young said. “Site owners who don't take these precautions may find themselves on the business end of a free security assessment and a compromised server.”

Young said that once a site does become infected, it can be difficult for visitors to the site to avoid having their computers exploited to mine coins unless they have the proper prevention tools in place.

Avital said it is possible that these attacks will evolve to exploiting users' GPU power as well in these type of attacks since it is usually more efficient in cryptocurrency mining tasks while site operators, on the defensive end, will start using the Content-Security-Policy (CSP) security standard to prevent code injection attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.