Blog

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world. #Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of …

Read MoreLarge cryptojacking campaign targeting vulnerable Drupal websites

Recent Podcasts: Packet Pushers & The CoinSec Podcast

In the last month, I was invited to participate in two podcasts. The first was with Packet Pushers and the second with The CoinSec Podcast. This was definitely less hectic than doing a live interview on Canadian national television. In both shows, I shared my thoughts on cryptojacking and other security topics. Packet Pushers Podcast For the Packet Pushers podcast, I was a guest of Paessler. They are the company behind the enterprise and network monitoring application, PRTG. I’ve frequently mentioned PRTG in my tweets as it’s one of my favorite monitoring tools. One of the notable incidents I always …

Read MoreRecent Podcasts: Packet Pushers & The CoinSec Podcast

My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today. Here's the total number of websites found with a non-#Coinhive cryptocurrency mining script. DeepMiner: 6,813CoinImp: 2,131Crypto-Loot: 1,555JSEcoin: 1,410Minr: 787 Not pictured:ProjectPoi (PPoi): 225CoinNebula: 21CoinRail: 7 Source: @publicww pic.twitter.com/OW3fYc3RM0 — Bad Packets Report (@bad_packets) April 19, 2018 While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018. I recently documented how to find …

Read MoreMy favorite website scanning services

Mirai-like Botnet One Year Review and a New Website!

In February 2017, I started my passive honeypot and began listening for all incoming network traffic. As the months passed, I saw numerous exploit attempts, constant port scans, and other suspicious traffic. It wasn’t until October that, with the help of Dr. Neal Krawetz, I started cataloging Mirai-like botnet traffic specifically. What does Mirai-like mean? Incoming scans from Mirai-like botnets have a very distinct fingerprint in the network traffic generated by infected hosts. The TCP sequence number will always equal the IP address of the target device. This intentional behavior is documented in the original Mirai source code, shown in the …

Read MoreMirai-like Botnet One Year Review and a New Website!

How to find cryptojacking malware

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about. The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites. I previously offered a comparison of their dataset versus other providers in my discussion of Coinhive malware specifically. In this post, I detail how to find websites containing Coinhive, Crypto-Loot, CoinImp, and deepMiner in PublicWWW. Let’s jump in and see how many sites with cryptojacking malware we can find! Coinhive …

Read MoreHow to find cryptojacking malware