Blog

How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity). Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services. Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because …

Read MoreHow to stop cryptojacking and the theft of your computing resources

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable? To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and …

Read MoreOver 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world. #Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of …

Read MoreLarge cryptojacking campaign targeting vulnerable Drupal websites

Recent Podcasts: Packet Pushers & The CoinSec Podcast

In the last month, I was invited to participate in two podcasts. The first was with Packet Pushers and the second with The CoinSec Podcast. This was definitely less hectic than doing a live interview on Canadian national television. In both shows, I shared my thoughts on cryptojacking and other security topics. Packet Pushers Podcast For the Packet Pushers podcast, I was a guest of Paessler. They are the company behind the enterprise and network monitoring application, PRTG. I’ve frequently mentioned PRTG in my tweets as it’s one of my favorite monitoring tools. One of the notable incidents I always …

Read MoreRecent Podcasts: Packet Pushers & The CoinSec Podcast

My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today. Here's the total number of websites found with a non-#Coinhive cryptocurrency mining script. DeepMiner: 6,813CoinImp: 2,131Crypto-Loot: 1,555JSEcoin: 1,410Minr: 787 Not pictured:ProjectPoi (PPoi): 225CoinNebula: 21CoinRail: 7 Source: @publicww pic.twitter.com/OW3fYc3RM0 — Bad Packets Report (@bad_packets) April 19, 2018 While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018. I recently documented how to find …

Read MoreMy favorite website scanning services