Government Sites Mine Cryptocurrencies for Cybercrooks
by David Balaban
Malware attacks are becoming more and more hybrid to align with the new reality. As opposed to aggressive perpetrating code
like ransomware, the main vectors of cybercrime no longer revolve around straightforward compromise. The rise of cryptocurrencies, with their unique properties, has become the real game changer.
Crooks exploit this decentralized ecosystem in various ways. We’ve seen Ponzi schemes, massive heists of Bitcoin exchange services, initial coin offering scams and outright theft of coins from users’ wallets—sometimes even at gunpoint. The most surreptitious type of attack, though, is cryptojacking. It denotes a routine where threat actors harness the CPU and GPU power of other people’s computers and servers to mine cryptocurrencies.
This particular activity has gained momentum with the onset of in-browser mining scripts such as Coinhive. It’s a JavaScript entity that can be embedded in a website so that the processors in visiting machines mine Monero for a specific XMR address. Coinhive is a legit traffic-monetization instrument that’s supposed to be an alternative to regular ads. Unfortunately, hackers abuse it on a large scale by integrating the code into popular sites without webmasters’ knowledge.
An unsettling trend of the past few months is the exploitation of government websites around the world for stealthy Monero mining. Below is a timeline of all such defiant incursions that hit the headlines recently.
- Feb. 14, 2018. Security analysts find the Coinhive script running on rio.ri.gov.br, the municipal-government website of Rio de Janeiro. To pull off the attack, the malefactors reportedly compromised the site’s cloud-computing module provided by the DigitalOcean platform.
- Feb. 11, 2018. More than 4,200 sites fall victim to the biggest cryptojacking onslaught to date. The compromised online resources include U.K., U.S. and Australian government portals, such as uscourts.gov, nhsinform.scot, manchester.gov.uk, legislation.qld.gov.au, and ico.org.uk.
- The breach took root through BrowseAloud, a third-party plugin by Texthelp—a vendor delivering accessibility features for people with poor English skills, dyslexia and other disorders. Despite the huge number of victims, the black hats reportedly earned only $24 worth of Monero.
- Feb. 2, 2018. Threat actors inject a mining script into medellin.gov.co/movilidad, a Colombian government domain, and make it join the underhand XMR generation rush.
- Jan. 30, 2018. In another cryptojacking incident, hackers compromise the official website of the Police Bureau of Investigation (PBI) Headquarters of Bangladesh (pbi.gov.bd). The Coinhive site key used in this campaign is 7sejF8MTdameOU67qDMTV6v7Q7sPWnIU.
- Jan. 28, 2018. The website of Social Security Treasury of the Venezuelan government (tss.gob.ve) is furtively mining Monero for V1WPa0OziOUo2lvwHApiXvilQaFIglK2 Coinhive ID.
- Jan. 24, 2018. Cybercriminals inject a coin miner into municipiolarioja.gov.ar, the municipal website of La Rioja province, Argentina. According to the municipality’s Director of Information Systems, the attack most likely took place through an unnamed, newly installed site plugin.
- Jan. 14, 2018. Mexican government site cedulaprofesional.sep.gob.mx turns out to have a sneaky crypto miner. This web resource is the National Registry of Professionals, where Mexican experts in different domains register their degrees and various patents. Given its popularity, the amount of mined XMR must be substantial.
- Jan. 11, 2018. Someone surreptitiously embeds the Coinhive script in the site of the Bolivarian Government of Venezuela (ipasme.gob.ve). Interestingly, 18 other sites use the same Coinhive ID (UizfZDfSvIfwq3ElSckc1nJMQwr9ZVmK), including the one for the annual pop-culture conference Bangkok Comic Con. This fact provides some clues regarding the hack attribution.
- Jan. 5, 2018. Two Ukrainian government websites are found to be taking advantage of visitors’ CPUs through Coinhive. They include berdichev-rda.gov.ua and dfrr.minregion.gov.ua. The former features a more sophisticated implementation, as the miner was embedded through an obfuscated component of mootools.js—a popular JavaScript utility kit.
- Jan. 4, 2018. A few more Ukrainian .gov domains are exploited to mine Monero. One of them, koryukivka-rada.gov.ua, is the official site for a city council. The other, den.energy.gov.ua, is the state energy supervision portal. The hackers used two different Coinhive site keys.
- Dec. 4, 2017. Security researchers discover a cryptojacking instance involving see.ac.gov.br, the website of Brazil’s State Secretary for Sport and Education.
- Dec. 3, 2017. Yet another cryptojacking wave stands out from the crowd as it targets the website of the President House of Bangladesh (bangabhaban.gov.bd). The attack lasted for more than three months, since the obfuscated Coinhive script wasn’t removed from the site until March 8.
- Nov. 27, 2017. A number of Moldovan government websites are hacked to mine cryptocurrencies behind the scenes. The targets include mai.gov.md, brd.gov.md, mec.gov.md and politia.md. No CPU throttling is configured, so the script uses 100% of the visiting computers’ processing capacity.
- Nov. 16, 2017. The official web page of a state-owned Argentine energy company (secheep.gov.ar) joins the ubiquitous cryptojacking boom without admins’ authorization. Of note is that the Coinhive ID in this breach is shared with a VR porn site.
- Nov. 13, 2017. Cybercrooks manage to incorporate the notorious in-browser mining script into ipes.gov.co, the website of the Institute for Social Economy—a Columbian government agency. This compromise is part of a bigger cryptojacking wave, in which the same Coinhive key is used on 45 more hacked websites.
- Nov. 10, 2017. Perpetrators compromise Vietnamese government site div.gov.vn, which is the official portal of the country’s deposit-insurance agency. The villains use a throttling technique to make sure the script flies below the radar of most site visitors’ attention.
- Oct. 12, 2017. A sneaky script running on novasantarita.rs.gov.br, the website of the municipality of Nova Santa Rita, Brazil, is stealthily eating up the CPU of visiting PCs without requesting permission. It’s the first reported cryptojacking attack zeroing in on a government site.
A particularly disconcerting point about all of the above hacks is that high-profile websites are low-hanging fruit when it comes to cryptojacking. It shouldn’t be that way, obviously. What hinders prevention is that a third-party widget can be the weak link, as was the case with BrowseAloud. One way or another, the admins of government websites should employ more-robust and more-effective anti-breach mechanisms to keep mining scripts away.
