Browser cryptocurrency mining malware is common
Since it's inception in 2009 Bitcoin has been hailed as a free currency suitable for the internet. Since it's huble beginnings the digital currency was first widely adopted for trading drugs and other illicit substances.
Eventually Bitcoin (and other cryptocurrencies) went mainstream as a speculative investment instrument in late 2017. All of this has not gone unnoticed by attackers. There is an increasing number of malicious activities related to cryptocurrency mining.
Attacks have spanned from traditional OS level malware, such as the worm that took down a hospital in Finland and the Smominru botnet, to server targeting like kworker based cryptominer malware. All of these yield at best a limited number of clients.
This is why there has been increasing interest in deploying cryptominer that runs on JavaScript with the browser. Browsers' access to direct hardware has been increasing, and they can now tap into the host GPU for managing graphics. This is also a coveted resource for cryptocurrency miners.
Attackers using CMS vulnerabilities to spread malware
In February 2018 there was a widespread occurence of these on many UK government sites. The attack, coined browsealoud, was said to have reached 4000 individual web hosts. The web model amplified the access to hardware as the exploit could spend hardware resources on each visitor on the site.
Getting the modified client code to the web services is not rocket science, but getting sufficient scale is essential for it to make sense. This is why the hackers have attacked popular content management systems. In 2017 WordPress security specialists from WordFence located a widespread Monero mining.
In early 2018 the trend has continued with the Drupal content managent system. The tool has had multiple critical vulnerabilities. One of these vulnerabilities, CVE-2018-7600 - more commonly known as Drupalgeddon 2, has also been widely exploited by botnets to install crypto miners.
Now it has been discovered that the Drupalgeddon 2 vulnerability has been used to install crypto currency miners to over 400 sites from corporations to governments:
A mass hacking campaign that targets a critical vulnerability in the Drupal content management system has converted more than 400 government, corporate, and university websites into cryptocurrency mining platforms that surreptitiously drain visitors' computers of electricity and computing resources, a security researcher said Monday.
- Critical "Drupalgeddon2" is still being exploited six weeks after it was patched
With this scale, the mining operators can already harness a significant amount of computing power. And since attacking web services is a magnitude easier than writing operating system level malware for Windows or other operating systems, it seems that the situation for CMSes like Drupal could get worse as attackers double down on CMS vulnerabilities:
But it seems that at the rate of vulnerabilities uncovered in the most popular Drupal 7.x and 8.x versions is increasing. These vulnerabilities are also exploited at an ever faster release cycle, meaning that without a robust auto updating system, the vast majority of Drupal sites will be vulnerable to exploits. In the case of the most recent "Drupalgeddon 3" incident exploits were in place in a matter of hours of the release of the patch.Tweet
- The velocity of Drupal vulnerability exploits raises doubts