CryptoJacking Threat to Universities GrowsFriday, April 6, 2018
New report finds that education sector being hit hardest by cryptojacking malware, meanwhile one million sites face Drupal flaw
The finger is being pointed at universities as being on the frontline of crypto mining efforts, according to a new report.
A group of researchers found that educational establishments are the most likely sector to experience crypto-mining on their networks, ranking way above the second-placed entertainment and leisure industry.
This could be due to students themselves using university and college networks to mine cryptocurrency, as well as outside attackers compromising them and co-opting computational power.
“Corporate enterprises enforce strict security controls to prevent cryptocurrency mining behaviours. However, universities do not have the same luxury with students. They can at best advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads”, noted the researchers from Vectra.
Interestingly, the researchers refer to ‘bitcoin mining’ in much of the research over the period August 17 to Jan 18, which sees higher education coming out top, with more than the remaining four combined. However, over this period ‘bitcoin mining’ would only be possible using high-power, specialised ASIC machines, a far cry from everyday network infrastructure and appliances. However, as the latter part of the report notes, mining Monero via the Coinhive in-browser script is a much more plausible student-generated issue, as any desktop PC could be used for this purpose.
The problem is a considerable one for universities, however, as although cryptomining is not dangerous in itself, it uses significant power and computational resources, as well as creating network noise that can hide serious security issues, impacting the reputation of an organisation’s IP address causing it to be blacklisted and also give cybercriminals an easier way into the network due to students downloading and running malware-laced files.
Of course, it is not just universities that need to be aware of the threat - a recent report from Symantec highlighted a 8,500 per cent surge in 'crypto jacking' cyber attacks in the final quarter of 2017 alone. Of all the online attacks blocked in that period by the security firm, a full 24 per cent were related to hijacking CPU power to mine digital currency.
Meanwhile Drupal admins are set for a bumpy ride after a major new vulnerability was discovered. The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website, and impacts Drupal versions 6, 7 and 8. Discovered by researcher Jasper Mattsson, the flaw gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, according to the official security post.
Ilia Kolochenko, CEO, High-Tech Bridge commented on the flaw: "It has been a while since such a dangerous and easily exploitable RCE vulnerability has been discovered on such a popular CMS as Drupal. Drupal website owners should urgently install a security update. We can expect a massive exploitation of the vulnerability in the wild already by this afternoon. The situation is seriously aggravated by the Easter break, as many security and IT people will be away, granting attackers a huge advantage.
The problem is also in "shadow IT" applications running Drupal CMS, as many large organizations don't even know how many applications they have, and thus cannot mitigate the risk.
Breached websites will likely be used for data theft and further password reuse attacks, as well as for watering hole attacks to distribute ransomware and crypto miners. Many popular websites can be breached to conduct sophisticated spear-phishing attacks against their visitors.
Website users can temporary mitigate the flaw using WAF, however the available security patch will likely be the only reliable way to properly mitigate the flaw."
The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and has not supported since Feb 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation.