Municipal Office dug Monero: that's one more reason to secure your PC browser level

How to inform the service niebezpiecznik.pl in Chorley near Szczecin, there has been a burglary to a Web server (or unauthorized modification of website), aimed at adding to the page code JavaScript digging Exchange it for Monero, without the consent and knowledge of the administrator.

This way, the mobilization of additional funds is not new. Last year researchers from the GuardiCore warned from PhotoMiner, which had a unique mechanism of infecting websites. Worm use dictionary attacks on FTP account with weak credentials. Infected sites visited by the users were used to infect their computers-worm after you install in the system use the processing power of the machine to dig the same refreshed Monero. One of the modules of the worm made brute-force attacks on the following FTP servers, causing a domino effect:

Functional diagram of the worm.

Possible that the municipality in Kołbaskowo was the victim of a similar attack or code injection through a vulnerability in the management application Web site.

The Secretary of the municipality of Janusz Kwidzińsczi answered the editors Niebezpiecznika this way:

-page had an outdated version of joomla vulnerable to attacks, has been updated,

-page/file has been modified by incorrect permission settings in the directory, and out of date modules/cms system,

-page after update and scan shows no susceptibility to attacks,

-in the period from Friday to Sunday about 120 thousand. calls and about 3 thousand. the unique inputs, cultivation by the amount of data in order to find the suspect ip address will take some time.

The script that was doklejony to the kolbaskowo.pl does not cause damage to the client computer only uses its processing power.

The Office has taken preventive measures in the form of verification of the agreement on the support and Security page and enforce in the future updating of the cms system to date according to the current version to prevent similar situations. For the resulting incident we apologize and thank you for reporting the problem.

Preventive measures have been taken after the fact. But better late than never.

This example clearly shows that the security of computers should start from the browser — in the case of home users — or already at the gateway level using UTM devices/NGFW in companies.

Cryptojacking

Applied this technique here cryptojacking. A script written in JavaScript, you can easily embed on any site. When a computer user visits the infected page, compute its equipment is acquired for the purpose of digging refreshed. The more time you spend on this type of site, the more CPU cycles can be used for cyber criminals.

Website of the municipality of Kołbaskowo is not the first and not the last. Already a malicious script from Monero was identified on pages: gazeta.pl, katowice.naszemiasto.pl, warszawa.naszemiasto.pl, nowiny24.pl, rp.pl and many, many. Most of them have a common denominator-ad rotating providers who uncommon verify what goes into their systems that display ads on the websites of partners.

Similar threats have warned Bitdefender experts, who have found a bot changing system configuration OS 64-bit-based Ethereum Linux and used to steal funds from the mining operations in Ethereum payments online.

Before you can help protect excavators

  1. In the public Github repository contains the plug-in "No Coin" for browsers Firefox, Chrome and Opera. The extension has already been added to the official repositories of each manufacturer. We recommend that you install it, because the extension protects not only by this script to dig Monero, but also against other excavators can increase.
  2. A similar effect will give you install ad blocker "uBlock Origin". In "my filters" add coin-hive.com/lib/coinhive.min.js by prefixing the entry Protocol https://. In addition to blocking ads, spam host, hosts with malicious ads, spyware and malware hosts hosts, we gain the ability to block custom'owych URLs.
  3. We provide a very effective plug Bitdefender Trafichlight to scan Web pages. The installer will automatically detect your browser (Chrome, Firefox or Safari) and will take the user to a repository with the file extension. By installing an add-on Bitdefender otrzmujemy one of the most effective in the world of scanners to detect phishing, malware, and pages from the fraud, as well as protection in the search results.
  4. Install the add-on NoScript browsers (not "user-friendly" solution).
  5. Most security programs with modules to scan Web pages should already detect similar malicious scripts. If you want to, or not to, once again, we are richer for the experience that strengthens in the belief that the protection of computers should be comprehensive and to start right from the browser.


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.