Attackers Inject Persistent Cryptomining in Browsers

Attackers have found a new technique to make cryptocurrency mining, or cryptomining, inside browsers persistent, or at least survive normal attempts of closing the browser window.

Drive-by cryptomining has become widespread in recent months with websites abusing visitors’ CPU resources without their permission, which has the effect of slowing down their computers and negatively impacting their browsing experience.

JavaScript cryptomining initially gained popularity thanks to a web-based Monero mining service called Coinhive, which provided webmasters with an API they could willingly integrate into their websites. But cybercriminals started to abuse the mining code by adding it to hacked websites, distributing it through ad networks and even integrating it into web browser extensions.

In-browser cryptomining has an important limitation: It stops when users close down the tab where the mining code is running. However, it seems some attackers have now found a way around that.

Researchers from antivirus firm Malwarebytes have spotted a new technique being used in a recent cryptomining attack launched from an adult website through an ad network. The mining code was executed in a new browser window that was specifically sized and positioned to be hidden behind the Windows taskbar.

Therefore, even if the victim closes all visible browser windows by clicking on their X button, the hidden one will remain open and will continue to mine Monero. The browser process consuming CPU resources will be visible in the Windows Task Manager, but most users are unlikely to check there if they think the browser has been closed.

Aside from JavaScript, the mining code seen in the recent attack was also capable of using WebAssembly if the browser supported the technology. WebAssembly is a new code compilation format that has better access to a computer’s resources through the browser and therefore is more efficient than JavaScript.

“Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions and other tools to protect themselves,” the Malwarebytes researchers said in a blog post. “If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.”

Apple’s MacOS Root Patch Breaks File Sharing

Apple released an emergency update Wednesday to fix a serious flaw in macOS High Sierra that could have allowed attackers to re-enable the root account and log in without a password.

The patch was released in a rush, less than 24 hours after the vulnerability was publicly disclosed. Some users have reported problems with accessing file shares on their Macs after installing the update.

Apple has published a support article with instructions on how to repair file sharing. It involves opening a Terminal window, typing “sudo /usr/libexec/configureLocalKDC” (without quotes) and providing the administrator password when prompted.

Cisco Patches Critical Vulnerabilities in WebEx Suite

Cisco Systems released updates for several of its WebEx products to fix six vulnerabilities, four of which can potentially be exploited to achieve remote code execution.

The flaws stem from the parsing of Cisco Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files, which are used to store recordings of WebEx meetings. The vulnerabilities affect the WebEx Network Recording Players that are downloaded and installed on users’ systems when they try to play meeting recordings stored in those formats.

“A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” Cisco said in an advisory Wednesday. “Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user.”

The WebEx Network Recording Players are also bundled with Cisco WebEx Business Suite WBS30, WBS31 and WBS32; Cisco WebEx Meetings and Cisco WebEx Meeting Server. The company released updates for these products and encourages customers to install them, as there are no other workarounds for mitigating the flaws.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin