As the crypto industry grows, it continues to draw to the attention of both the good and the bad. While there have been multiple instances of success stories surrounding cryptocurrencies, there is also a dark side of the industry that has been holding it back from gaining mainstream recognition.
Over the last few years, the crypto industry has been plagued by hackers. From hacking assets stored in the hot wallet of your crypto exchanges to infecting your computer with malware and ransomware, the cryptocurrency space has become a hunting ground for these cybercriminals. A very common type of attack these days is Crypto-jacking.
Cryptojacking is a modern-day technique that is used by some of these hackers to stealthily steal the physical resources of the victim’s hardware to mine cryptocurrency. While the rate of usual ransomware attacks has declined, the rate of the more dangerous cryptojacking attacks is on the rise.
Moving up from regular computers
These types of attacks were previously limited to the regular personal computers, but recent reports reveal that multiple supercomputers are now being remotely hacked and infected with cryptojacking malware to mine cryptocurrency on them.
The report published by media outlet ZDNet states that multiple supercomputers across Europe that required these systems to be shut down upon discovery. The hackers used a stolen SSH (remote access) credentials from individuals authorized to operate the machines.
According to Chris Doman, co-founder of Cado Security, a UK-based cyber-security firm, the malware was designed to utilize the supercomputers’ processing power to mine Monero (XMR). While it appears that many of these computers were being used to help with the research for a coronavirus vaccine, in-depth details about the incidents and the computer’s purpose were not provided.
May Mayhem
The first report surfaced on May 11 at the University of Edinburgh, home to the ARCHER supercomputer. The organization reported that it had shut down the system to proceed with further investigations. To date, the system remains offline. The university has noted:
“The ARCHER and Cray/HPE System Teams continue to work on ARCHER and getting it ready to return to service. We anticipate that ARCHER will be returned to service later this week.”
Up next, bwHPC, a Germany-based organization working to coordinate research projects across supercomputers, announced that 5 of its high-performance systems were shut down due to a similar “security incidents.“
On May 13, a supercomputer in Barcelona was also attacked and the system was shutdown. Researcher Felix von Leitner announced the incident in a blog discussing the security issue.
The attacks continued on May 14, with Leibniz Computing Center (LZR), an institute with the Bavarian Academy of Sciences, noted that it had disconnected a computing cluster from the network to investigate a security breach.
Over the last weekend, Robert Helling, a German scientist, published an in-depth analysis of a similar malware that was also infecting supercomputers at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.
The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also detached it’s supercomputer after a “cyber-incident,” and it will continue to remain offline “until having restored a safe environment.”
Super Cryptojacking
Malware samples and network compromise indicators from some of these events were released by the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe.
The samples were then analysed by Cado Security and have revealed that the SSH credentials might have been stolen from universities in Canada, China, and Poland.
Doman further added that there was no solid evidence that this attack was carried out by the same individual or group, but evidence like similar malware file names and network indicators suggests the attacks might have originated from a single point.
The analysis adds that after infiltrating the computers, the hackers used an exploit for the CVE-2019-15666 vulnerability to gain root access to the system and then launched an application that mined XMR.
