Research Saturday 3.17.18
Ep 27 | 3.17.18

Cryptojacking injections heat up.


Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Marcelle Lee: [00:01:02] There's a variety of ways that this can happen. What it boils down to basically is code injection.

Dave Bittner: [00:01:07] That's Marcelle Lee. She's a threat researcher at LookingGlass, and today she's discussing her recently published research, "Cryptojacking – Coming to a Server Near You."

Marcelle Lee: [00:01:17] Code injection has been around for a long time. It's nothing new, and there's many different ways to leverage it. But basically, attackers are just able to inject code onto different websites, and it's because there's some vulnerability in that website. It's one of the most common of the OWASP Top 10 list - I think it used to be number one. I'm not sure if it's still number one, but yeah, injection is not a new thing by any stretch.

Dave Bittner: [00:01:45] So when we're talking code, we're talking JavaScript code here?

Marcelle Lee: [00:01:48] Well, in the case of the Coinhive miner, that one is written in JavaScript. So it depends. I mean, you can write code in anything, right? But the Coinhive miner, that seems to be the most popular one right now, is based on JavaScript.

Dave Bittner: [00:02:04] So, let's just back up a little bit, and just give us a definition here - what are we talking about when we say cryptojacking?

Marcelle Lee: [00:02:11] So cryptojacking - my definition of it is the illegitimate mining of cryptocurrency. And it can be done a lot of different ways - through a browser, through a mobile app, lots of things. And I say illegitimate because you can certainly have coin mining activity on your website - like, you could run it on CyberWire's website if you wanted to - and just have it as a way to make money. And some people say, oh, well, you know, we're doing that instead of ads, so that's just how we're making our extra dollars. So, to me, that's sort of the difference between legitimate and illegitimate.

Marcelle Lee: [00:02:51] But even if you're running it, like, intentionally on your website, in my opinion, like, ethically speaking, you should still have like an opt-in, opt-out thing for your site visitors. Which I have seen on some sites, just where you can say, sure, I don't mind mining some cryptocurrency for you.

Dave Bittner: [00:03:09] Yeah, I remember, you know, years ago, and I think it's still active, that was the SETI project, analyzing radio signals from space to try to find intelligent life, and they would - you'd give them permission to use your, you know, extra processor cycles at night and everyone was OK with that. It was a little different than what we've got today.

Marcelle Lee: [00:03:28] (Laughs) A little bit. If I had had a charity that I - well, I have a lot of charities that I like - but, you know, say I have a charity that I like and they're doing cryptocurrency mining, then I might be like, okay, sure, I'll just let you mine all night long while I'm sleeping and it's not impacting, you know, my use of the computer. But I haven't seen a lot of that, unfortunately.

Dave Bittner: [00:03:47] And then I guess that is the point though, that you are using people's computer resources, which involves you using electricity, you're using, I suppose there could be wear and tear on the machine by having it run, you know, full capacity. And these folks generally aren't asking for permission ahead of time.

Marcelle Lee: [00:04:04] Correct. Correct. And it really does make a huge impact on just your CPU usage and all that sort of thing. Like in the testing that I did, my CPU usage went up 500 percent, like, pretty much instantly. And that is a fairly steady and sustained increase. It doesn't drop off until you stop the mining activity. So that can be impactful. And the research I've seen on mobile apps - although I haven't tested it on a mobile device myself - just shows, you know, generally, it's going to impact those devices even more from the wear and tear standpoint.

Dave Bittner: [00:04:41] Yeah, the heat, and also it would really drain your battery quickly, I suspect.

Marcelle Lee: [00:04:46] Exactly. Like, the first testing I did actually was on a laptop, and the laptop - I mean, you can hear the engines or the fan spin up right away.

Dave Bittner: [00:04:54] Right.

Marcelle Lee: [00:04:55] The fans, and the laptop got so hot so fast that it was literally burning my legs.

Dave Bittner: [00:05:02] Wow.

Marcelle Lee: [00:05:03] It was like, oh, I need to do this at a table or something. It's pretty significant, the impact.

Dave Bittner: [00:05:10] Yeah. So, let's run through some of the things you discovered, some of the various flavors, I suppose, of cryptojacking. And one of the things that you point out in your research is that this isn't just happening in your browser. You found it in some Oracle WebLogic application servers?

Marcelle Lee: [00:05:25] Yep, that's correct. And that's been fairly widely reported on now and that was basically leveraging an input validation vulnerability. So, again, it's just another injection-type thing. That was earlier this year I think that came out. And then, since then, more recently - not even in my research - was that Tesla's cloud, which is an Amazon S3 Bucket, not too terribly surprisingly, that one was impacted as well. So, mining, and also some data lost there, data leakage.

Marcelle Lee: [00:06:00] There's been some government sites that have been hit recently. In the UK, the National Health Service, and also in Australia - I forget which government agency - but they've experienced it too. But I mean, it's pretty common to see cyber attackers or criminals, or however you want to refer to it, to just basically look for vulnerable sites. And often it doesn't even matter what that site is. But in this case, you know, they're going to want sites with maximum traffic just to increase that potential for making some income off of the mining.

Dave Bittner: [00:06:37] Yeah, it was interesting in that UK example because it was really a third-party provider - I believe it was an accessibility plugin for the websites - and so the folks who were the original hosts of those sites, you know, were doing all the right things, but it was this third party who got attacked.

Marcelle Lee: [00:06:57] Yeah, exactly. And I mean, it's through, like, apps - it's just sort of those side things that are running on a website sometimes where that's coming in. I've seen it in also social media, like Digmine was spread around on social media, and that would basically infect your Facebook account and then spread to your Facebook friends, and so on and so forth. So, it's interesting because these miners are often part of, like, another whole kit of things, so it might be mining, it might be stealing passwords, it might be doing all different kinds of things at one time. And what we're seeing is that, whereas ransomware - well, I don't want to say ransomware is on the decline because something terrible will happen tomorrow.

Dave Bittner: [00:07:43] (Laughs) Right, don't tempt fate.

Marcelle Lee: [00:07:47] I know, right? But cryptojacking seems to be definitely on the uptick, like the RIG exploit kit, which is traditionally kind of known for ransomware, is now gearing up to do more of the cryptojacking thing. So, it's interesting. I think it's probably a lot less effort to do cryptojacking than it is to do ransomware, just because you don't have to go through the whole rigmarole of collecting ransom, and so on and so forth.

Dave Bittner: [00:08:13] Right. Yeah, I guess there's less infrastructure, there are less things you have to support, with it having to get the money...

Marcelle Lee: [00:08:18] Right.

Dave Bittner: [00:08:19] ...And so on and so forth. But also, one of the things that leaves me scratching my head about cryptojacking, you know, like in your example of having, you know, botnets, for example, doing mining for cryptocurrency. I can imagine a video camera, you know, mounted on a wall in a warehouse somewhere, and someone takes advantage of that camera to do some cryptomining. And as long as that camera still functions as a camera, no one's going to notice.

Marcelle Lee: [00:08:48] Right.

Dave Bittner: [00:08:48] And so it could just go about, you know, I suppose it would use more electricity, and as we said, it could run hotter and maybe reduce the life of the device, and so on. But it's not really affecting someone in the way that ransomware is. One of the things that leaves me scratching my head is, why don't these cryptominers - why do they go full out and try to grab all of your processing capability? Why don't they dial it in and say, all right, we're only going to use 25 percent, because if we only use 25 percent or 50 percent, or whatever, then it's much more likely that we won't be noticed?

Marcelle Lee: [00:09:22] Right. Exactly. And that's a good question, and I think the answer is, maybe, just not that much thought was put into some of these miners. But I've definitely seen - like in our testing, just looking at, you know, the traffic - there are settings that you can put in there for, like, throttling the speed or...

Dave Bittner: [00:09:42] Ah. Okay.

Marcelle Lee: [00:09:42] ...You know, detecting whether it's a mobile device or not a mobile device, things like that. So, I mean, they are pretty customizable, it's just, you know, a lot of times people use stuff right out of the box, right?

Dave Bittner: [00:09:52] Right.

Marcelle Lee: [00:09:53] So to speak. But there's definitely customization and optimization options.

Dave Bittner: [00:09:59] Well, I suppose too that it's possible that they are using those options and those are the ones that aren't being discovered...

Marcelle Lee: [00:10:04] Right.

Dave Bittner: [00:10:04] ...Because they're not not drawing attention to themselves.

Marcelle Lee: [00:10:08] (Laughs) When I initially did my testing, I found over seven thousand sites that were running Coinhive miners, which is a lot. And just this morning, for grins and giggles, I searched again - not specifically for Coinhive, just for any miner activity - and do you want to take a guess at how many sites I found today?

Dave Bittner: [00:10:29] So you found seven thousand before.

Marcelle Lee: [00:10:33] Mm-hmm.

Dave Bittner: [00:10:33] Uh... Oh, gosh. Let's go crazy - let's double it and say fourteen.

Marcelle Lee: [00:10:39] Okay, it's actually forty - four zero - thousand sites that have some sort of mining activity. And there might be a few outliers that aren't really doing that. Maybe it's just a site that's talking about doing it, or whatever.

Dave Bittner: [00:10:52] Now, when you say you search, what does that entail? How do you do that?

Marcelle Lee: [00:10:57] Oh, right. So, it's nothing magical. There is actually a pretty awesome website that I use for this kind of research called, and it allows you to basically search source code in websites. So it's a pretty awesome tool.

Dave Bittner: [00:11:13] Yeah.

Marcelle Lee: [00:11:13] I just put in a little code snippet from - that would be actually generic to really any miner. Yep, forty - over forty thousand.

Dave Bittner: [00:11:22] Wow. So, in addition to running in browsers, we're seeing apps show up on the Google Play Store that are miners as well.

Marcelle Lee: [00:11:31] Yes. Yes. In fact, the one that I saw was actually, like, a wallpaper app. And I always tell people, like, there's always malicious apps, right? And typically, it seems to be flashlight apps are notoriously bad.

Dave Bittner: [00:11:45] Mm-hmm.

Marcelle Lee: [00:11:46] I'm not sure if there's any flashlight miners out there, but I bet there probably are. And then, yeah, like I said, this wallpaper paper one. So, you know, you select some pretty pictures for your background or whatever, and you get some mining along with it. So that's, you know, what I consider, like, a trojanized app, because you're not signing up to mine, most likely, when you downloaded that app.

Dave Bittner: [00:12:08] So, tell me about some of the things you discovered where people were hijacking Wi-Fi hotspots.

Marcelle Lee: [00:12:14] That was a really interesting thing, and I've actually only seen the one example of it that was happening, I think, in Buenos Aires. The attackers were using a tool called CoffeeMiner, which is man-in-the-middle tool that basically hijacks when the patrons - in this case at Starbucks - when the patrons tried to connect to the Wi-Fi hotspot, it injects this code, and then basically everything that they do that's, you know, on HTML sites, is running the code. So, again, I've only seen the one example reported of that, but the CoffeeMiner tool is definitely out there.

Dave Bittner: [00:12:49] Yeah. Take us through what you discovered with the Zealot malware campaign.

Marcelle Lee: [00:12:53] So, Zealot - Zealot is another one that's sort of a multi-featured campaign, and another company did a lot of research on that, actually. But it did a number of things besides the mining, and it also leveraged the Eternal Blue/Eternal Synergy exploits, and basically used that and targeted Windows and Linux systems, and could basically just send up a request via HTTP on these infected servers. But it did other things like - I think that one was also extracting credentials and doing some propagation within the network. So, that one I didn't actually study myself, I just read about it.

Dave Bittner: [00:13:40] Yeah. So it's sort of - in the bag of malware tricks, cryptojacking is one of the things - I guess one of the common things in these multi-talented kits, cryptojacking is becoming a standard tool.

Marcelle Lee: [00:13:54] Yeah, exactly. And that's what I was saying before, like with the exploit kits or like remote access tools that have sort of a variety of features, if you will. Cryptocurrency mining just appears to be, like, a new thing that's getting thrown into the mix.

Dave Bittner: [00:14:09] Right. And so what exactly are you finding, just statistically, how bad is this? If a cryptominer is running on my computer, am I likely to notice?

Marcelle Lee: [00:14:23] Yeah, you are likely to notice because, like I was saying before with my own testing, the fans will fire up pretty quickly, and if you happen to be paying attention to your CPU, you will see a sharp spike in that. It's noticeable, but then again, it's noticeable if you're maybe looking for it. If you're not aware or are just not paying that much attention to it, then you might not notice. I would say the average person probably isn't going to have the slightest idea that it's mining activity, right? They might just think, oh, I'm streaming a video and it's taking a lot of energy, or whatever.

Dave Bittner: [00:14:58] Time to buy a new computer.

Marcelle Lee: [00:15:00] (Laughs)

Dave Bittner: [00:15:02] So, if you do notice that, what should you do?

Marcelle Lee: [00:15:06] There's a couple of different things you can do. What I personally do, is use a browser extension that blocks mining activity and there's quite a few of those out there. And they're available - like, I've seen them for Chrome, Firefox, Microsoft Edge, I think Opera just came out with one as well.

Dave Bittner: [00:15:23] Hmm.

Marcelle Lee: [00:15:23] So it's just a thing you install in your browser that detects and blocks the activity, which is interesting because then you get to see which sites, of course, because it will pop up and say "blocking activity." Also, antivirus might pick it up. That's kind of iffy because there's just so many variables, but I have seen a couple of different antivirus engines that detected some of this activity. And again, it just depends on the vector.

Dave Bittner: [00:15:49] What about how they're serving this up through ad networks? Are the folks who are running the ad networks - are they being complicit in this?

Marcelle Lee: [00:15:57] Well, I can't say whether they're being complicit or not, but I mean, they certainly could be, or they might also just be victims as well.

Dave Bittner: [00:16:04] Yeah.

Marcelle Lee: [00:16:04] Like the thing we were talking about with the UK sites - you can inject stuff almost everywhere, right? It just depends on the level of security and how well that code is written. And again, you know, it's not necessarily done maliciously. It might just be to make money. When sites - like Pirate Bay, I think most notoriously, was serving up the cryptocurrency mining without their users' permission. And it was discovered, but they were like, well, I don't care.

Dave Bittner: [00:16:35] Right.

Marcelle Lee: [00:16:36] You know, they just carried on doing it. And so, you know, then it becomes one of those things - from the user, it's like, well, do I still want to go to Pirate Bay and take that cryptocurrency mining along with it? Maybe I do, maybe I don't. You know, it's kind of a decision that you make. But like I said, most sites - you're not going to see it or know it.

Dave Bittner: [00:16:55] I think it's interesting too because we saw - I can't remember the site - but as you mentioned earlier, there was a site that said, you know, if you're running ad blocker, we're going to run cryptocurrency mining in the background. Are you okay with this? I guess the question I have for you is, well, if I don't want to see ads, should I be OK with the cryptomining? Is it necessarily a deal killer?

Marcelle Lee: [00:17:21] (Laughs) Well, I don't really like to see ads or do cryptocurrency mining.

Dave Bittner: [00:17:23] Well, you're right. Yeah, it's true. (Laughs)

Marcelle Lee: [00:17:25] Yeah, so I mean, I have a mining blocker and I also have ad blockers so, you know, some sites.

Dave Bittner: [00:17:33] I guess if you're - but if you're sympathetic to the fact that these folks are a business and are trying to make, you know, trying to - desperately trying to make money on the Web, which is getting harder and harder to do, I guess - should we have any sympathy for them trying to go at it this way?

Marcelle Lee: [00:17:49] So, I would say it depends. Like, for me, it would totally depend on the website, right?

Dave Bittner: [00:17:53] Right. Right.

Marcelle Lee: [00:17:54] So there's different news outlets that, you know, they'll say, oh, we see you're using an ad blocker, would you please unblock because this is how we make our money? - I think The Guardian does that. For them, I might, you know, allow those ads, and probably the same thing with the mining. I mean, chances are I'm not going to be on any one website that long, that it's really going to make any kind of significant impact.

Marcelle Lee: [00:18:16] Where you see more of an impact is, say you're streaming media or something, and you're mining at the same time. That's going to make a big difference. And in fact, even the Coinhive website talks about, you know, in order to optimize your returns on this, it makes sense to inject it into sites where there's going to be sort of that prolonged connection and communication with the user.

Dave Bittner: [00:18:39] Oh I see.

Marcelle Lee: [00:18:40] Yeah.

Dave Bittner: [00:18:41] And is this the sort of thing, like - speaking about Coinhive - if I decided that I wanted to be someone who profits from, you know, mining on other people's machines, are these things available as a service? Is this a relatively easy thing for someone to spin up and do?

Marcelle Lee: [00:18:58] Yes, actually. So plenty of code out there, but I mean, I've seen even, like, WordPress plugins, where you - if you want to add this functionality to your WordPress site, or to somebody's WordPress site. There's lots and lots of what I would consider pretty much legit things, because like many things in this field, like Coinhive, they've pretty much said, hey, we built this not ever thinking that it was going to be used maliciously but, you know, that train has obviously left the station, so...

Dave Bittner: [00:19:33] Right.

Marcelle Lee: [00:19:34] And it's the same with all the other ones too, you know. So, I'm sure whoever wrote the WordPress plugins was probably like, oh, this is a cool thing, and then it gets reappropriated.

Dave Bittner: [00:19:42] Yeah, unintended consequences.

Marcelle Lee: [00:19:44] Yes. The cryptocurrency that I'm seeing mostly, which is Monero, and you know, most people, when they think of cryptocurrency, they think Bitcoin. It's like synonymous in their minds. But there's many, many different cryptocurrencies. And Monero is kind of interesting because it's based on the CryptoNote cryptocurrency protocol, and it's very different from Bitcoin in that the wallets are completely private. So, whereas with Bitcoin you can look up a wallet address and see all the transactions, you can't do that with Monero. It's completely different algorithm.

Marcelle Lee: [00:20:20] So we're definitely seeing a sort of an increase of usage with cyber criminal activity because of that. And I would say that, personally, to me, I've seen where Monero has really spiked or jumped up in value over the past few months. Coinhive came out I think around September of last year, and since then Monero has gone from, like, one hundred something to - it's like three hundred today. So it's gone up quite a bit. It might be a good investment, I don't know. (Laughs).

Dave Bittner: [00:20:51] (Laughs) Right, right. You're not technically a financial adviser, so listeners should not take financial advice.

Marcelle Lee: [00:20:57] (Laughs) Exactly.

Dave Bittner: [00:20:58] So, it's the coin of choice because it provides that anonymity that Bitcoin does not.

Marcelle Lee: [00:21:05] Exactly.

Dave Bittner: [00:21:09] Our thanks to Marcelle Lee for joining us. You can read her complete report, "Cryptojacking – Coming Soon to a Server Near You," on the LookingGlass website. It's in their blog section.

Dave Bittner: [00:21:20] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:21:28] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.