Cryptojacking – Browser cryptocurrency mining

I’m going to start by saying I really should have one of those T-shirts; “Yes I work in IT, but NO I won’t fix your computer”. I’m sure you can all relate to being at a family function until someone can’t help but ask “I’ve got this small problem, I’ll bring it [my computer] to your house and you can sort it out?” *rolls eyes*

So it’s Christmas Day 2017 and as it approached 3pm I thought I’d escaped unscathed from any computer related obligations, until the conversation took a turn for the worse and I learned more than half of my family had invested in various cryptocurrencies including Bitcoin. Ironic considering I typically get at least one call a week asking me to help with things like “the printer isn’t working” or “should I click this link to scan my Mac for viruses”. So, you can imagine my astonishment when I learnt they’d collectively managed to buy not just Bitcoin, but Ethereum, Litecoin, and Monero! I guess easy money was too hard to resist.

This cryptocurrency hype isn’t just limited to my family, or yours, but has also found its way into many different areas including the world of cybercrime as an easy source of untraceable money.

What is Cryptojacking?

Cybercriminals are, and for the foreseeable future will always be ahead. Why? Because there’s incentive to continually adapt, circumvent existing defensive technologies and devise new monetization strategies. With the rise of cryptocurrency, Cryptojacking attacks have risen more than 1200% over the past few months in the UK alone.

Cryptojacking is the broad term used to describe a distributed attack, using end-users’ web browsers to mine valuable cryptocurrencies.  Mining cryptocurrency consumes a large amount of CPU and therefore electricity and so it is not cost-effective for cybercriminals to do themselves. By distributing the mining task to many victims, cybercriminals are able to generate large amounts of valuable cryptocurrency for almost zero cost or effort.

Why do I need to protect my website?

Cryptojacking itself is typically benign, meaning it doesn’t actively compromise the user’s own computer or the confidentiality or integrity of the information transferred to your website. However, it does indicate your website isn’t secure and attackers have exploited one or more weaknesses to effect the attack. Not only could more severe attacks cripple your business, it’s highly likely to reflect badly to your user’s and the media.

RedShield has you covered!

As an ethical hacker for almost 10 years it’s been my job to find the vulnerabilities that could lead to things such as Cryptojacking attacks. As a defender of critical, high-value systems it has also been my responsibility to prevent such attacks, so as a business or fellow defender the most important thing is knowing that RedShield is able to prevent, detect, and respond to all aspects of a Cryptojacking attack faster and more effectively than you could do it yourself.

Prevention is always better than cure

This old adage also stands true for Cybersecurity. With the introduction of mandatory data breach reporting laws globally, we should all agree that preventing a cybersecurity incident is far less expensive than incident response and potential litigation. TNT Express springs to mind, whose Petya outbreak resulted in permanent data loss and an expected financial loss of AUD $347 million.

As the world’s first complete vulnerability mitigation service, RedShield is uniquely positioned to prevent the exploitation of application vulnerabilities that provide attackers the mechanism to deliver Cryptojacking payloads. Our service offers complete application protection including:

  • Adding Subresource Integrity (SRI) attributes to client-side scripts and resources. If a file is changed unexpectedly it won’t run in users’ browsers.
  • Hardening of application requests and responses including setting Content Security Policy headers which can prevent malicious inline Cryptojacking JavaScript.
  • Blocking exploit payloads targeting application vulnerabilities including OWASP Top 10 vulnerabilities. This is important as Cross-Site Scripting and Remote Code Execution are the most common vectors to effect Cryptojacking attacks.
  • Advanced Shielding.  About half of all application vulnerabilities are related to business logic that Web Application Firewalls cannot fix. RedShield’s stateful proxy secures these by transforming existing business logic without any application code changes.
  • Transformation of requests and responses including rewriting or masking of sensitive data such as administrative passwords and/or URI’s.
  • Blocking of vulnerability scanners and bots to prevent reconnaissance and information gathering. This is important as over 40 percent of application logins are bots attempting to guess valid user credentials.
  • Filtering of anomalous requests and responses. Requests resulting in application behavior outside the baseline is dropped or a CAPTCHA is presented to prevent reconnaissance and information gathering which is a prerequisite to application exploitation.

How will I know if my website is compromised?

Detecting a Cryptojacking attack can be difficult, especially if you’re including JavaScript from 3rd party domains. If you’re not sure, go, take a look. I’ll wait… If a 3rd party script is compromised, they can be modified to attack websites where the script is referenced and do things like modify page content, track key presses, capture data, and, of course mine cryptocurrency.

If your website references a compromised 3rd party script, it’s unlikely that anything will show up in your server or application logs. If you suspect your website has fallen victim to Cryptojacking you can check by using a website like Who Is Mining, http://whoismining.com/.

RedShield is the only managed application security company with integrated application vulnerability scanning. Applications protected by RedShield are scanned regularly for issues including Cryptojacking.

What if I’m already compromised?

Fear not! Once identified, remediating Cryptojacking is a straightforward process; simply remove the offending JavaScript.

But I don’t know how or can’t change my website?  Help!

It’s more common than you think! Your development team is unavailable, you don’t have access to the source code, perhaps it’s a 3rd party system or you aren’t sure how to modify HTML and JavaScript. A quick, simple DNS change is all that’s required for RedShield to remove any malicious JavaScript and stop Cryptojacking attacks.

Are you under attack?

If you suspect that your website might be compromised contact the 24×7 RedShield team for assistance.