A recent, high profile attack allowed cyber-criminals to hijack over 4,000 websites, including the Information Commissioner’s Office, Student Loans Company and the NHS, to mine the cryptocurrency, Monero. Put simply, the process of ‘mining’ a cryptocurrency is using specialist IT infrastructure to verify transactions in order to receive a transaction processing fee as a reward (although this process varies based on the currency). It requires investment and know-how. The perpetrators in this case, however, used the computing power of innocent users accessing popular websites without their knowledge to do the mining, and it wasn’t the first of its kind.
The rocketing value of cryptocurrencies towards the end of 2017 saw a massive surge in speculative investment, and an ever-increasing focus on the investment in the infrastructure designed specifically to mine them. A hobbyist with a fair amount of knowledge, spending a few thousand on easily available components and software, could perhaps make around 50 cents to a handful of dollars a day, focusing on lesser-known currencies, whilst massively adding to their electricity bill and carbon footprint. Specialists have invested thousands of dollars creating huge data centres just to mine cryptocurrencies, and have already joined forces in mining pools to make mining more efficient, dividing profit by the effort of each miner.
Cybercriminals are circumventing this, and leveraging your available computer-processing power by inserting malicious code into apps and websites, in this case via a third party content provider used by thousands of sites. At best, this has a negative impact on the performance of infected machines, probably ultimately reducing its lifespan with higher utilisation and increasing electricity consumption. The malware used to achieve this however puts at risk the availability of your key systems, as well as potentially threatening the integrity of your data.
Malicious cryptomining has become increasingly attractive to cyber criminals. Profiting from ransomware becomes more difficult as users have less reason to pay out, particularly as training and awareness improves, and anti-virus software becomes better at detecting ransomware. Also, as unscrupulous as cyber criminals can be, the psychological impact of unknowingly leveraging a victim’s central processing unit (CPU) is presumably a lot lower than ruining their personal files and interrupting their lives. The growing technical specification of the average device means a single machine could mine around 25 cents of a currency like Monero, but leveraging popular websites sees criminals orchestrating botnets of hundreds or thousands of machines. Curiously, this idea is already being piloted by a number of firms as a legitimate alternative to online advertising. If being used in a transparent way and opted into by users, this could become more common.
What can I do to protect my services?
Security researcher Scott Helme outlined two key things to mitigate this particular issue:
- Adding a Subresource integrity (SRI) attribute to your website code to make the browser check the integrity of externally loaded content
- The use of Content Security Policy code in your website, to ensure only trusted third party sources are used.
As with many high profile vulnerabilities, however, this issue could have been mitigated with the use of security by design, ensuring new services are developed in line with the latest standards from their inception. When your security team works closely with the business from the beginning of the project lifecycle, they have the chance to understand the support they need, rather than simply giving them a checklist just before go-live. This will encourage compliant, resilient services.