A recent cryptocurrency mining operation that targeted over 5,000 websites in the UK, including that of the ICO, could be the ‘first of many’ operations that hackers could launch in the coming years, an expert has warned.
The recent cryptocurrency mining operation forced the government to shut down hundreds of websites belonging to e Student Loans Company, several NHS services, and local councils.
The cryptocurrency mining operation, which took place exactly a week ago, was conducted by hackers who compromised a widely-used browser plug-in to spread their web to thousands of websites and subsequently mined cryptocurrency using the processing power of infected devices.
By taking immediate steps to take the affected websites offline, the government managed to avert and crisis and saved millions of citizens, who visit such government websites regularly, from being affected. However, considering the large-scale impact of the campaign, it is clear that hackers will be back soon with more sophisticated techniques to covertly mine cryptocurrency.
Andrew Douthwaite, VP Managed Services at VirtualArmour, told Express.co.uk that last week’s cryptocurrency mining operation could be the first of many such operations to take place in the UK.
“This method of thinking around how effective a ‘hack’ or ’attack’ is becoming more common, we are not seeing individual sites or companies being targeted, but common services, or ancillary third party plugins being targeted.
“This gives the attackers a much wider audience to hit at once, the third party companies developing the add-ons or additional services are generally smaller than the companies using them and therefore can be less stringent with their QA and security. Another example of this approach was the huge DDoS attack on the DNS provider Dyn – taking down, Twitter Netflix, Spotify to name but a few,” he said.
Steve Giguere, lead EMEA engineer at Synopsys, also said that the technique used by hackers to conduct last week’s mining operation could also be employed for DDoS attacks in the future. “Designers of trusted plug-ins may have either underestimated the security requirements of their own SDLC, never thought themselves a target, or, as plug-ins are often designed by smaller teams with lower budgets, simply didn’t have the expertise to harden their development environment to prevent compromise,” he said.
“As Hackers are always looking for a weak link, we can expect browser plug-ins will continue to be an active target to exploit the distributed horse-power of browser based computing. In this particular incident, a plug-in which would be used by an organisations who have a large user base and have demonstrated in the past (WannaCry) a potential to be an easy target, no doubt incentivised the attackers,” he added.
“We are going to see an increase in the exploitation of computing resources for cryptomining. There are a number of platforms that haven’t been tapped yet, and it seems that there is an increase in the sophistication of these attacks. The only reliable way to identify this behavior is through dynamic analysis, as the CPU profiles are very easily discernible,” says Professor Giovanni Vigna, CTO and co-founder of Lastline.
“However, often the cryptomining code is obfuscated, delayed, or downloaded dynamically after the application is executed, often circumventing unsophisticated sandboxing environments. Installing well-reviewed applications from trustworthy publishers on well-known markets is the only way to reduce risk. These cryptominers are “loud” as they use an extensive amount of CPU (and battery) and therefore they are easily spotted by users after a short amount of time,” he adds.