Coinhive Campaign Injecting Mining Code into Vulnerable Websites

On January 2, security researcher Brian Krebs alerted the mobile phone company BlackBerry via Twitter about Coinhive cryptocurrency mining code embedded in one of the company’s websites. Inspection of the website’s source code revealed an API key associated with a cryptojacking campaign that, according to research conducted using the Censys.io internet search engine, appears to be affecting hundreds of websites with no obvious connection to one another. A sampling of these websites revealed that the code was injected in or above the website’s header, designed to run as soon as visitors opened the page, immediately spiking their systems’ CPU usage to 100 percent as it conducted cryptocurrency mining activity to generate profit for the person or group behind the campaign. Websites impacted appear to be operated by various organizations across several sectors, including government, education, and private businesses in multiple countries. The NJCCIC assesses with high confidence that websites containing known and exploitable vulnerabilities are and will continue to be targeted by profit-motivated hackers attempting to generate cryptocurrency through unauthorized mining activities. We recommend all website owners and administrators regularly examine their website for unauthorized code such as that shown in the following image. Additionally, we recommend keeping website platforms and plugins up-to-date, close all unnecessary ports on website servers, protect administrator accounts with unique, complex passwords and two-factor authentication, and consider implementing a web application firewall.