Cryptocurrencies provide a unique incentive for cybercriminals. Difficult to trace, anonymous and easily harvested with the adequate baseline of computing resources, they have already been at the center of several major incidents, including the heist of as much as $100 million Bitcoin from an online drug sales portal. Bitcoin and its ilk may represent a new frontier in commerce, but they’ve also presented many tricky questions for merchants and security vendors, which now have to weigh the digital usability of cryptocurrencies against the numerous new attack surfaces that their usages opens up.
Moreover, attacks involving Bitcoin are already evolving in strategy. Whereas Bitcoin’s novelty may have originally inspired attackers whose primary purpose was to gain attention and expose flaws within the Bitcoin transactional process, new efforts are casting a wider net and may be inflicting collateral damage on parties with no ties to, or even knowledge of, the Bitcoin community. A recent incident at Yahoo is a case in point, showing how Bitcoin has quickly become a new payoff for sophisticated cyberattacks that previously would have been limited to the harvesting of user data and credentials or the proliferation of advanced malware.
Some of Yahoo’s display ads were taken over by viruses and subsequently spread the infection to PC users. Well known malware such as ZeuS may have been distributed via this channel, but in a novel twist, the campaign’s perpetrators also designed it to turn compromised computers into Bitcoin miners. Simply put, Bitcoin is accrued by having a machine complete CPU- and/or GPU-intensive tasks, and the difficulty level is being raised as more miners go after the limited global supply of Bitcoin.
It’s possible that the cybersecurity community could see an uptick in these types of attacks that hijack a computer’s raw processing power rather than its data. The stakes for addressing these risks are high, given that the accumulation of a large pool of computing resources could be repurposed for scaling a botnet or conducting distributed denial-of-service attacks, in addition to mining Bitcoin. Fortunately, attacks such as the Yahoo incident often exploit known vulnerabilities in historically weak platforms such as Java, so organizations known where to start.
Yahoo malware turned PC into Bitcoin miners via display ads
When problems with Yahoo’s display ads were first detected, the main issue seemed to be that visitors to Yahoo sites were being hit with exploit kits, including the Magnitude kit that has gained popularity since the decline of Blackhole. The attack was limited in scope. Only PC users in Europe were targeted – Mac and mobile users, as well as anyone in the U.S. were not affected.
A Dutch security vendor estimated that the infection rate was approximately 9 percent. Anyone visiting a page served by ads.yahoo.com was susceptible to the malware, and the number of infections could have been as high as 27,000 machines per hour. If compromised, a computer was redirected to one of several domains hosting the Magnitude exploit kit, which scans PCs for Java vulnerabilities. After that, ZeuS, Andromeda and ad-clicking malware may be installed to capitalize on the weakness.
The attack was likely financially motivated, as demonstrated by possible links between the domains that hosted Magnitude and a promotion program called Paid-to-Promote, which as its name suggests pays individuals for pushing large amounts of traffic to a page. Yahoo’s high daily traffic numbers would make it a natural target for such a campaign. Nearly 400 domains may have been involved in a broader effort of which the Yahoo exploit was just one component.
However, there’s another wrinkle to this malware campaign’s financial angle. It may have been designed to create a vast network of Bitcoin mining machines, since it featured code for running a Bitcoin network and was observed communicating with Bitcoin mining pools on the Web. Basically, these are shared batches of computing resources that work to solve Bitcoin mathematical problems, and the party that contributes the most power is entitled to the largest share of the reward.
“Bitcoin mining is a computationally heavy process that gets harder and harder in time,” explained Light Cyber founder Giora Engel. “Bitcoin is mined in blocks, and since it takes a lot of computing power to mine a block, the miners join forces and form mining pools or ‘bitcoin mining networks’ – in which each one participates with his computing power and gets in return his share of the revenue. In our case, the malware author would be the sole beneficiary of the mining efforts.”
Hijacking PCs for their processing power is nothing new – it’s a key tactic for enhancing the efficacy of DDoS or botnets. However, taking them over with the express purpose of mining Bitcoin is a bit different, since it alters the calculus that normally governs this process. Most of the time, Bitcoin mining is a losing effort because the associated electrical costs outstrip the reward. But with many machines in tow, it’s much easier to come out in the black. The security community must become more aware of how cryptocurrencies are providing new incentives for the engineering of sophisticated malware campaigns.
Yahoo exploit also demonstrates persistent vulnerabilities in dynamic content, Java
Still, the prevalence of outdated Java implementations is perhaps the greatest contributor to the success of these attacks. If possible, users should consider disabling Java altogether, while enterprises should make the effort to keep their versions up to date.
The Yahoo malware campaign isn’t likely to be the last of its kind. It wasn’t even the first, as a gaming company was implicated last year in a code injection attack that turned thousands of PCs into Bitcoin miners. Although the payoff of malware attacks may be shifting from stolen data to pilfered Bitcoin and hijacked CPU/GPU resources, best practices for minimizing risk have not changed. Software should be updated and users should be careful if something seems off, so that vulnerabilities are discovered and fixed as quickly as possible