Cloud at risk from cryptocurrency miners

Malicious code can go undetected, pushing up cloud prices

Multiple legitimate websites have been hacked to leech processing power from visitors' computers, using them to mine cryptocurrencies.

Hackers have installed malicious code on sites belonging to schools, charities, file-sharing services and even CBS, according to scans.

Mining, in this sense, refers to the process of creating units of a digital currency like Bitcoin. The mining computers collect pending transactions (a block) and collate them into a coded puzzle. The first miner to find the solution announces it, and those transactions are validated and added to the blockchain. The miner then receives some currency as a reward.

Because only the first to solve the puzzle gets the prize, miners tend to use very powerful computers - or, in this case, a widely-distributed network.

"There's a huge attraction of being able to use other people's devices in a massively distributed fashion, because you then effectively take advantage of a huge amount of computing resources," Rik Ferguson, VP of security research at Trend Micro, told the BBC.

Webmasters can use platforms like JSE Coin and Coinhive to install a piece of code on their sites that can mine coins by utilising excess CPU power of visitors' machines. However, it is not always legitimate webmasters implementing the code.

"Installing this script on hundreds of websites essentially means the perpetrators have built a supercomputer, which is literally generating money, while the legitimate owners remain unaware," Leigh-Anne Galloway, cyber resilience lead at Positive Technologies , told us. "It's a bit like a criminal breaking into a factory when no-one is looking and secretly using company machines for their own means, except in this case it is data capacity being used to mine Bitcoins."

The scans have suggested that the code was installed without the owner's permission on many affected sites.

Coinhive told the BBC, "We had a few early users that implemented the script on sites they previously hacked, without the site owner's knowledge. We have banned several of these accounts and will continue to do so when we learn about such cases."

Cloud at risk

Websites are not the only thing at risk from surreptitious code injection. Matthew Caesar of the University of Illinois said that it is also a problem for companies running cloud-based services.

"If someone can hack into a cloud account they have access to a huge amount of computer power," he said. "They can get huge value from those accounts because there's not much limit on the number of machines they can use.

"Often, the billing systems the cloud services run do not reveal what's going on. Someone can get in and cause a lot of damage before they are shut down."

Caesar and student Rashid Tahir are currently developing a monitoring system that can identify when such mining software is being used, and is working with an unnamed cloud company to deploy it on their network.

Galloway told us, "This is why it is so important to understand what code it running on your website, and put countermeasures in place… Organisations need to be constantly monitoring web applications, ensuring they have a solid grasp of all code which is running and enforcing change as soon as something suspicious crops up."