Messaging app Telegram has become the latest victim of cryptocurrency mining malware, as researchers at Kaspersky Lab have revealed a now-patched vulnerability that allowed hackers to exploit a flaw in the platform’s file transfer service.

Kaspersky said that the vulnerability, which was first exploited in March 2017 and discovered by researchers in October, was a “classic right-to-left override attack.”

Simply put, this attack exploited the portion of Telegram’s software that enabled the messenger to recognize Arabic and Hebrew, languages which are read right to left. The hackers were able to use this feature to reverse the order of characters in filenames, which allowed them to disguise suspicious file extensions as images or other seemingly non-threatening file types.

After users downloaded the files, embedded scripts would silently unleash a malware payload on the target operating system. One of the most prominent payloads was malware that harnessed the target computer’s processing power to mine cryptocurrencies for the attackers.

cryptocurrency mining malware
Source: Kaspersky

These miners were primarily developed for the Equihash and Cryptonight mining algorithms, which are employed by privacy-centric cryptocurrencies Zcash (ZEC) and Monero (XMR), respectively.

Although the vulnerability affected all Telegram users, Kaspersky said that it appears only Russian hackers exploited it, which is why the vast majority of victims were Russian residents.

These types of attacks have become quite common in recent months, particularly since the development of CoinHive, a mining script that can be implemented into the background of websites and used to harness the computing power of visitors.

As BlockExplorer reported, more than 4,200 websites hosted by government agencies in the US and UK have recently been compromised through the use of a tool called BrowseAloud and injected with CoinHive-based mining malware scripts.

Telegram denied that exploit was the result of a “real vulnerability,” arguing that users bore responsibility for choosing to download the files.

“This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,” Reuters cited the company as saying in a statement.

Nevertheless, the timing of the vulnerability’s disclosure is awkward for Telegram, as the company is reportedly preparing to launch a record-shattering initial coin offering (ICO) that could raise up to $2 billion.

Featured Image from MaxPixel

British Blockchain Association

A large number of websites, including sites hosted by the United States and United Kingdom governments, have been compromised. The compromised web pages were made to serve cryptocurrency mining scripts. Which use the resources of the visitor’s computer to mine cryptocurrency. In this case maliciously and without consent from the computer’s owners.

Use of accessibility tool BrowseAloud in attack

The pages were compromised due to the use of an accessibility tool known as BrowseAloud. Which augments webpages with extra javascript to allow visually impaired users to browse the page using audio cues. The websites were all compromised due to loading scripts from BrowseAloud’s servers in order to provide text to speech. The attackers needed only to break into BrowseAloud’s servers to compromise all of its customers. The cryptocurrency miner used was the now infamous CoinHive Monero (XMR) web miner. CoinHive is designed to allow content producers a way to be paid for the content they provide. CoinHive has since been used in a large number of website compromises, due to its ease of use and its use of the privacy-focused cryptocurrency Monero. Monero allows attackers to remain extremely anonymous, to the point that others can only guess at the profits gained.

Mitigation of the compromise

This attack can be mitigated rather easily for both content providers and content consumers. Content providers need only verify the hash of the script they are serving. As a modified script will have a differing hash to the expected script. Content consumers can make use either of NoScript plugins in their browsers to block all javascript on web pages, or make use of other plugins such as Ublock Origin. Which if configured correctly will block all requests going to CoinHive’s servers.

Ethereum developers have launched an alpha test network (testnet) for Casper, paving the way for the cryptocurrency to eventually transition to a proof-of-stake (PoS) consensus algorithm.

Like bitcoin, ethereum currently operates on a proof-of-work (PoW) consensus algorithm, meaning that the network is secured and new currency units are issued through “mining,” whereby participants solve cryptographic puzzles to validate transactions and create new blocks.

However, PoW has attracted criticism over the years, both for its tendency to centralize mining hardware into a few pools and for the amount of electricity it consumes.

Ethereum to implement Proof-of-Stake

Ethereum aims to address these problems by transitioning to Casper, a proof-of-stake (PoS) consensus algorithm. Under Casper, participants can become validators by locking up or “staking” ether. Validators will take turns proposing and voting on blocks, and both the weight of their votes and the size of their rewards will hinge on the size of their stakes.

According to developers, moving to Casper will greatly reduce the amount of electricity “wasted” through PoW mining. In addition to limiting its environmental impact, PoS will allow ethereum to dramatically reduce its rate of currency inflation since validators will have much lower overhead and will thus require smaller rewards to incentivize them to continue to serve as validators.

Moreover, PoS will also reduce the incentive that validators have to centralize their influence. With decreased centralization comes increased security and, importantly, resistance to dreaded 51 percent attacks.

Ethereum is not the first project to attempt to integrate a PoS consensus algorithm. However, most previous PoS implementations have been criticized because, in the event of a blockchain split, validators are incentivized to try to make blocks on top of every chain rather than resolving the consensus back to a single blockchain.

casper
Source: Ethereum/Github

Casper aims to solve this problem by imposing economic penalties on malicious validators that violate the network’s rules. This ensures that validators are properly incentivized to achieve consensus on a single blockchain in the event of a network split.

Following three years of development, Casper has officially entered alpha testing, and the first full-featured testnet has launched. The software must still traverse several release checkpoints before it is ready to launch on the main network, but this alpha release nevertheless marks an important step toward its eventual activation on the main ethereum network.

Casper
Source: Vitalik Buterin/Twitter

Users can join the testnet by following the instructions in this guide, and once online they can send transactions and become validators, just as they would on a normal network, although the network’s performance is not indicative of how production clients will operate once the project receives an official release.

venezuela

Government cryptocurrency is coming, whether we want it to or not. On the 28th of December in Caracas, Venezeual’s Information Minister Jorge Rodriguez said: “It is a matter of days before we announce the first issuance of the ‘petro’ cryptocurrency.” Information Minister Jorge Rodriguez said these words at a press conference regarding ‘Petro’, broadcast on state TV Thursday.

Early in December, Venezuelan President Nicolas Maduro announced that Venezuela would be issuing their own cryptocurrency in order to circumvent U.S.-led financial sanctions.

According to Rodriguez on Thursday, the Petro will help Venezuela face the increasing international diplomatic opposition regarding President Nicolas Maduro’s crackdown on any political opposition at home. Rodrigues also hopes the Petro will help him skirt sanctions or attacks on Venezuela from the international financial system at large. “It will allow us to overcome any financial blockade.” He said.

Not the first announced government cryptocurrency, but Petro could possibly be the first to market

While not the first announcement of a government-issued cryptocurrency, nor nearly the first time that government has meddled in crypto,  the Petro is the first cryptocurrency to be backed by physical assets. Maduro stated on Wednesday that more than 5 billion barrels of Venezuelan oil will serve as the backing for the cryptocurrency. This oil should be able to back around $267 billion worth of currency, compared to the Bitcoin’s current market cap of $247 billion.

While he didn’t give any further details on mining or how this would be secured or “decentralized,” Rodriguez did say that miners were already lined up. Needless to say, we’re eager to find out how this government cryptocurrency will function.

Venezuela to launch Petro cyrptocurrency

starbucks mining monero

A Starbucks in Buenos Aires, Argentina was mining Monero (XMR) on customer’s devices without their permission. Twitter user Noah Dinkin noticed that a Starbucks location in Buenos Aires was utilizing their WiFi captive sign-in portal to force a 10-second delay when users first connected to the wifi in order to mine Monero. The user originally assumed that the Starbucks WiFi was attempting to mine Bitcoin, but it was in fact mining Monero. XMR is currently trading at $286.27 according to the Block Explorer Monero Price Index

Starbucks has not responded to the outcry on social media about their use of Coinhive

Coinhive is in-browser software that allows users to mine Monero in-browser with JavaScript using their ‘extra’ CPU power. Coinhive usage has been increasing and expected to increase both legitimately and illegitimately.

The Palo Alto Networks Research Center has stated that they have seen 36,842 instances of Coinhive being implemented. Out of these 36,842 instances, they claim that a large quantity of these fall into the category of ‘compromised’, likely being the result of malicious script injection into vulnerable servers. In some cases, multiple copies have been injected and use up 100% of the user’s available resources. One specific payee identity alone is tied to over 35,000 of these instances.

 

Edit: Since the time of writing, Starbucks issued the following statement:

As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our third-party support provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely.