The discovery of unauthorized crypto-currency mining code on a BlackBerry site run by a handset manufacturing partner is the latest example of how attackers are taking over Web sites to steal processor cycles for profit, and in some cases spreading mining code to unsuspecting visitors.
Last week a visitor discovered that the BlackBerryMobile.com Web site, which is run by and promotes Android-powered BlackBerry handsets made by China’s TCL Communications, was running code from Coinhive, a JavaScript miner for the Monero digital currency. According to security researcher Pierluigi Paganini, once alerted the code was removed.
In an email to ITWorldCanada.com, a BlackBerry Ltd. spokesperson said it was alerted by a third party “of an exploited security vulnerability affecting the BlackBerryMobile.com site. Upon notification and our own verification, BlackBerry Limited moved quickly to communicate with our partner at TCL and to temporarily redirect our links to BlackBerryMobile.com to BlackBerry.com pages. At no time was BlackBerry.com compromised.
“TCL has restored a new site with partial content and is collaborating with BlackBerry Limited to harden its site to prevent future cyber attacks.”
TCL, which signed a five-year deal at the end of 2016 to be BlackBerry’s handset manufacturer and runs BlackBerryMobile.com, was asked for comment on January 8 but so far has not replied.
It isn’t known whether the BlackBerryMobile.com site was hacked by outsiders or an insider inserted the code. But it is another example of how far people eager for computing power for cryptocurrency mining are willing to go.
Canadian organizations that either own or host Web sites should be looking more closely at their code. Terry Cutler, vice-president of cyber for Montreal-based forensic investigation firm Sirco Group, said Tuesday his company just discovered CoinHive crypto mining JavaScript on a customer’s site during a routine penetration test.
The code was being injected into the browsers of visitors, he said. If the browser was closed on the victim’s computer it didn’t completely finish the session. Instead the browser was minimized to a place on the desktop where it wouldn’t be seen and continued using the processor to do the computing needed for mining.
The investigation has just started, and Cutler said he doesn’t know if the code was inserted by a former employee or a hacker.
Secretly using someone else’s computer for crypto mining isn’t new. Reports began surfacing last fall of Web sites – possibly hacked, possibly with the knowledge of owners — being used this way. Sometimes code was injected into the browsers of unsuspecting users. A tell-tale sign is CPU cycles suddenly leaping, making a system slow down. Whoever controls the code gets the digital currency.
Last October The Register reported that the U.S. political site Politifacts and the site of the CBS-TV show Showtime were apparently hacked so mining code would be installed on browsers of those who visited the site.
Crypto mining isn’t only done on PCs. In October Trend Micro reported finding mining apps in the Google Play store for Android mobile apps.
In a search for CoinHive and JSEcoin mining code on the top 100,000 Web sites listed on Alexa, ad blocking solution provider AdGuard found 220 sites with in-browser code. Most were in the U.S., India, Russia and Brazil. This mining isn’t necessarily malicious if users are told and agree to their CPU cycles being used in this way. Many are not.
There were news reports that content delivery network CloudFlare had suspended a site that was injecting CoinHive code onto visitors computers without notification.
The incident, say Cutler and Steven Bryant, Vancouver-based head of operations at Canadian Ethical Hackers, shows how important it is for organizations to keep a close eye on their Web sites’ code and who has access to it.
That includes strict access control, including two-factor authentication, for Web developers and making sure accounts are canceled when staff leave. It can be hard to detect if an insider is manipulating code, Cutler acknowledged, because usually employee accounts aren’t monitored. That’s why it’s also a good idea to have a third party audit your environment, he said.
Similarly, Bryant said CISOs should think like a sports team and have offensive as well as defensive strategies – in other words, if possible create a penetration team of your own. If not, regularly hire an outside firm to do a pen test.
With credentials theft among the biggest aims of attackers, it’s easy for a criminal to get into Web code once passwords and credentials are accessed. So limiting access to code and adding two-factor authentication is vital, he said. “You want to have the minimal number of people with authority” to change code.