News / Media References
Please see here for our mentions in major news / media publications.
Peer-reviewed academic research publications
Identifying infected energy systems in the wild
Angelos Marnerides, Vasileios Giotsas, and Troy Mursch
A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide a 7-month retrospective analysis of Internet-connected energy systems that are infected by Mirai-like malware variants. By utilizing network measurements from several Internet vantage points, we demonstrate that a number of energy systems on a global scale were infected during the period of our observation. Our work offers a first look in compromised energy systems by malware infections, and offers insights on the lack of proper security practices for systems that are increasingly dependent on internet services and more recently the IoT. In addition, we indicate that such systems were infected for relatively large periods, thus potentially remaining undetected by their corresponding organizational units.
A first look at browser-based cryptojacking
Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark
In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In addition, we conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non-consenting users.
Bad Packets Cofounder Troy Mursch discusses the key factors contributing to the rise of malicious cryptocurrency mining, the symptoms of cryptojacking, and brief history of the topic in this webinar hosted by Infosecurity Magazine.
- How Cryptojacking Impacts You, and What You Can Do About It
- Cryptojacking campaigns continue to target vulnerable websites
- How to use reverse DNS records to identify mass scanners
- How to use name server records to locate malicious domains en masse
In this case study, presented by Paessler, I document my use of PRTG to detect and monitor high-profile websites infected with cryptojacking malware.
Bad Packets Report is featured, cited, or mentioned in the following publications.
AT&T ThreatTraq – Vulnerability in Cisco RV320, RV325 Routers
The AT&T ThreatTraq team discuss our findings regarding opportunistic scanning activity targeting vulnerable Cisco routers.
CTV News – Raising The Alarm About Cryptojacking
Bad Packets Report co-founder Troy Mursch spoke with CTV’s Scott Laurie and shared the basics of cryptojacking. What it is, how it happens, and how to prevent it.
The Wall Street Journal – Your Computer May Be Making Bitcoin for Hackers
The Washington Post – Hackers have turned Politifact’s website into a trap for your PC
The Washington Post – Salon.com wants to use your PC to mine cryptocurrency
Krebs on Security – Website Flaw Let True Health Diagnostics Users View All Medical Records
Krebs on Security – Who and What Is Coinhive?
Krebs on Security – Who’s Behind the Screencam Extortion Scam?
Krebs on Security – Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted
Krebs on Security – Crypto Mining Service Coinhive to Call it Quits
Krebs on Security – Booter Boss Interviewed in 2014 Pleads Guilty
Associated Press – How your smart fridge might be mining bitcoin for criminals
Ars Technica – Ongoing DNS hijackings target unpatched consumer routers
PC Magazine – Why Hackers Love Cryptocurrency Miner Coinhive
PC Magazine – Chrome Extension Hacked to Secretly Mine Cryptocurrency
PC Magazine – Can Cryptocurrency Mining Save The Media Industry?
PC Magazine – Coinhive Cryptocurrency Mining Service to Shut Down
Threatpost – Muhstik Botnet Exploits Highly Critical Drupal Bug
Threatpost – Drupalgeddon 2.0 Still Haunting 115K+ Sites
Threatpost – VisionDirect Blindsided by Magecart in Data Breach
Threatpost – Newsmaker Interview: Troy Mursch on Top Botnet Trends
Threatpost – 19K Orange Livebox Modems Open to Attack
The Next Web – Crypto-jacking epidemic spreads to 30K routers across India
The Register – Drupal drisputes dreport of widespread wide-open websites
The Register – Why is my cheapo Android red hot and switching off Wi-Fi?
Bleeping Computer – The Internet Is Rife With In-Browser Miners and It’s Getting Worse Each Day
Bleeping Computer – Cryptojacking Craze: Malwarebytes Says It Blocks 8 Million Requests per Day
Bleeping Computer – Cookie Consent Script Drops In-Browser Cryptocurrency Miner
Bleeping Computer – Cryptojacking Script Found in Live Help Widget, Impacts Around 1,500 Sites
Bleeping Computer – Mirai Activity Picks up Once More After Publication of PoC Exploit Code
Bleeping Computer – Cryptojackers Found on Starbucks WiFi Network, GitHub, Pirate Streaming Sites
Bleeping Computer – Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner
Bleeping Computer – Using the Chrome Task Manager to Find In-Browser Miners
Bleeping Computer – Firefox Working on Protection Against In-Browser Cryptojacking Scripts
Bleeping Computer – Unicef’s TheHopepage May Be the First Good Use of In-Browser Mining
Bleeping Computer – Drupal Sites Fall Victims to Cryptojacking Campaigns
Bleeping Computer – Google Agrees to Pay $11 Million to Owners of Suspended AdSense Accounts
Bleeping Computer – Two Months Later, Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon 2
Bleeping Computer – You Can File Complaints About Cryptojacking With the FTC
Bleeping Computer – Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers
Bleeping Computer – Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining
Bleeping Computer – Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms
Bleeping Computer – Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns
Bleeping Computer – VisionDirect Data Breach Caused by MageCart Attack
Bleeping Computer – Orange LiveBox Modems Targeted for SSID and WiFi Info
Bleeping Computer – Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits
Bleeping Computer – Coinhive In-Browser Cryptomining Service Shuts Down on March 8
Bleeping Computer – Cisco Botches Fix for RV320, RV325 Routers, Just Blocks ‘curl’ User Agent
Bleeping Computer – Confluence Servers Hacked to Install Miners and Rootkits
Bleeping Computer – Linksys Smart Wi-Fi Routers Leak Info of Connected Devices
Bleeping Computer – Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site
International Business Times – Hackers covertly hide code on Politifact to hijack your PC, secretly mine cryptocurrencies
International Business Times – Popular Chrome extension with over 105,000 users found secretly mining cryptocurrency
International Business Times – Salon to readers: Let us use your PC to mine cryptocurrency in exchange for an ad-free website
International Business Times – Mozilla Firefox Will Block Cryptocurrency Mining Malware Scripts From Web Browser
Newsweek en Español – SEP, UNAM y la Liga MX, fueron intervenidas para generar dinero con un código malicioso (SEP, UNAM and Liga MX, were intervened to generate money with a malicious code)
The Hacker News – Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
The Hacker News – Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware
Avast Blog – The End of Coinhive; The end of cryptojacking?
La Stampa – Truffe, crimini e ricatti online: dove nascono, come funzionano e perché sono difficili da fermare (Scams, crimes and blackmail online: where they are born, how they work and why they are difficult to stop)
La Stampa – Qualcuno potrebbe minare criptovalute col tuo browser, ecco come funziona il fenomeno (Someone could Mine cryptocurrencies with your browser, here’s how the phenomenon works)
Infosecurity Magazine – LA Times Hit with Crypto-Mining Software
Infosecurity Magazine – Crypto Crime: Hunting for Cryptocurrency Mining in Your Enterprise (Webinar)
Infosecurity Magazine – Nearly 20,000 Orange Modems Leaking Wi-Fi Passwords
Infosecurity Magazine – Attackers Target Home Routers with DNS Hijacking
Infosecurity Magazine – Forbes Site Up, Then Down Again after Magecart Attack
Help Net Security – Compromised MikroTik routers power extensive cryptojacking campaign
Help Net Security – Cisco botched patches for its RV320/RV325 routers
Help Net Security – Consumer routers targeted by DNS hijacking attackers
BankInfoSecurity – Cryptojacking: Mitigating the Impact
BankInfoSecurity – Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware
BankInfoSecurity – Magecart Spies Payment Cards From Retailer Vision Direct
BankInfoSecurity – Hackers Target Fresh Drupal CMS Flaw to Infiltrate Sites
The Daily Swig – Vision Direct poked in the eye by credit card breach
The Daily Swig – Information disclosure vulnerability impacts 25,000 Linksys routers
Naked Security – Unsecured AWS led to cryptojacking attack on LA Times
Naked Security – Shodan and passwords sitting in a tree, S-H-O-W-I-N-G!
Liftr News – Report: Cryptojacking Trend Hits LA Times
Security Now! – Episode #662 – Drupal Sites Fall Victims to Cryptojacking Campaigns
Security Now! – Episode #667 – Drupalgeddon2 appears to be a fixture of the Internet
DataBreachToday – Cryptocurrency Miners Exploit Widespread Drupal Flaw
DataBreachToday – Websites Still Under Siege After ‘Drupalgeddon’ Redux
DataBreachToday – Cryptojackers Keep Hacking Unpatched MikroTik Routers
Dark Reading – Cryptojacking Threat Continues to Rise
Dark Reading – 5 Steps to Fight Unauthorized Cryptomining
Dark Reading – Ongoing DNS Hijack Attack Hits Consumer Modems and Routers
New Scientist – You may be making cryptocurrency for hackers without realising
WeLiveSecurity – Coinhive cryptocurrency miner to call it a day next week
SC Media – 2018 – The year that was: Top Cyberthreats
SecurityIntelligence – Does the Rise of Crypto-Mining Malware Mean the End of Ransomware?
Tom’s Guide – These D-Link Routers Are Under Attack: What to Do
Security Boulevard – 5 Cryptojacking Consequences CISOs Can’t Ignore
Security Boulevard – Coinhive to shut down all its cryptojacking services on March 8!
Security Boulevard – Git Code Repos Held to Ransom – Thousands Hacked
Security Boulevard – Forbes subscribers warned of Magecart threat skimming credit card details
Security Boulevard – Egyptian DDoS Campaign Observations
SmarterMSP – Threat Watch: Cryptojacking
Tom’s Hardware – Showtime Uses Online Viewers’ CPUs To Mine Cryptocurrency
Tom’s Hardware – The Rise Of Cryptojacking And How To Stop It
Gizmodo en Español – Es una plaga: Movistar infecta “por error” su propia web para minar criptomonedas a través de sus usuarios (It’s a plague: Movistar infects its own website “by mistake” to mine cryptocurrencies through its users)
CriptoNoticias – “No hay que tomarse los mineros web a la ligera” asegura Troy Mursch, investigador de ciberseguridad (We shouldn’t take web miners lightly,” says Troy Mursch, cybersecurity researcher.)
CriptoNoticias – Página web de Movistar España minaba monero de sus usuarios con Coinhive (Movistar Spain web page mines Monero from its users with Coinhive)
Heise online – Chrome-Extension Archive Poster sammelt heimlich Kryptowährung (Chrome Extension Archive Poster secretly collects cryptocurrency)
Heise online – Drupal-Lücken: Lenovo versäumt Webseiten-Update und fängt sich Krypto-Miner ein (Drupal Gaps: Lenovo fails website update and captures crypto-miner)
Heise online – Jetzt patchen! Angreifer machen Jagd auf Cisco-Router (Patch now! Attackers hunt down Cisco routers)
Heise online – 20.000 Linksys-Router leaken angeblich Daten von verbundenen Geräten (20,000 Linksys routers are reportedly leaking data from connected devices)
Golem.de – Proxy-Server fügen Kryptominer ein (Proxy servers add cryptominer)
Security Affairs – Over 19,000 Orange Livebox ADSL modems leak WiFi credentials
Security Affairs – Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Security Affairs – Initial fixes for Cisco RV320 and RV325 routers were incomplete
Security Affairs – DNS hijacking campaigns target Gmail, Netflix, and PayPal users
Security Affairs – Magecart hackers inject card Skimmer in Forbes Subscription Site
Security Affairs – Internet scans found nearly one million systems vulnerable to BlueKeep
ExtremeTech – Showtime Caught Mining Cryptocurrency With Viewers’ PCs