Coinhive DNS Server Compromised by Profit-Motivated Hacker

On September 21, the NJCCIC alerted members to a new and growing trend involving JavaScript (JS) code embedded in websites designed to use visitors’ system resources without their knowledge or consent to mine cryptocurrency. Researchers have discovered JS code embedded in websites, online advertisements, and in browser extensions that result in excessive CPU consumption, reducing the processing power needed for other system tasks and causing running applications to become slow or unresponsive. Coinhive, which promotes its JS code to website owners as a revenue-generating alternative to online advertisements, was the victim of a breach on Tuesday, October 24, when its DNS server was accessed by a profit-motivated hacker. This hacker replaced Coinhive’s DNS records, pointed the website’s domain to a different IP address, and pushed a new version of the JS mining file to websites that had the original file embedded. This new version contained code designed to mine cryptocurrency for the hacker instead of other Coinhive account holders. Coinhive blamed password reuse for the breach. Although this breach did not necessarily result in destructive malware being delivered to unsuspecting users’ systems, it highlights the risk posed by embedded elements within websites designed to pull content from remote servers that are not in direct control of website administrators. The NJCCIC recommends users review and adjust their browser’s security settings to an acceptable risk level. Further risk mitigation considerations include installing a reputable ad-blocking, script-blocking, and coin-blocking extension in their browsers. Additionally, we recommend website administrators regularly conduct website audits to identify and remove code and elements that are no longer needed, especially those that contain vulnerabilities or establish communication with remote servers to reduce risk for their visitors and prevent damage to their reputations and brands.