Messaging app Telegram has become the latest victim of cryptocurrency mining malware, as researchers at Kaspersky Lab have revealed a now-patched vulnerability that allowed hackers to exploit a flaw in the platform’s file transfer service.

Kaspersky said that the vulnerability, which was first exploited in March 2017 and discovered by researchers in October, was a “classic right-to-left override attack.”

Simply put, this attack exploited the portion of Telegram’s software that enabled the messenger to recognize Arabic and Hebrew, languages which are read right to left. The hackers were able to use this feature to reverse the order of characters in filenames, which allowed them to disguise suspicious file extensions as images or other seemingly non-threatening file types.

After users downloaded the files, embedded scripts would silently unleash a malware payload on the target operating system. One of the most prominent payloads was malware that harnessed the target computer’s processing power to mine cryptocurrencies for the attackers.

cryptocurrency mining malware
Source: Kaspersky

These miners were primarily developed for the Equihash and Cryptonight mining algorithms, which are employed by privacy-centric cryptocurrencies Zcash (ZEC) and Monero (XMR), respectively.

Although the vulnerability affected all Telegram users, Kaspersky said that it appears only Russian hackers exploited it, which is why the vast majority of victims were Russian residents.

These types of attacks have become quite common in recent months, particularly since the development of CoinHive, a mining script that can be implemented into the background of websites and used to harness the computing power of visitors.

As BlockExplorer reported, more than 4,200 websites hosted by government agencies in the US and UK have recently been compromised through the use of a tool called BrowseAloud and injected with CoinHive-based mining malware scripts.

Telegram denied that exploit was the result of a “real vulnerability,” arguing that users bore responsibility for choosing to download the files.

“This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,” Reuters cited the company as saying in a statement.

Nevertheless, the timing of the vulnerability’s disclosure is awkward for Telegram, as the company is reportedly preparing to launch a record-shattering initial coin offering (ICO) that could raise up to $2 billion.

Featured Image from MaxPixel

British Blockchain Association

A large number of websites, including sites hosted by the United States and United Kingdom governments, have been compromised. The compromised web pages were made to serve cryptocurrency mining scripts. Which use the resources of the visitor’s computer to mine cryptocurrency. In this case maliciously and without consent from the computer’s owners.

Use of accessibility tool BrowseAloud in attack

The pages were compromised due to the use of an accessibility tool known as BrowseAloud. Which augments webpages with extra javascript to allow visually impaired users to browse the page using audio cues. The websites were all compromised due to loading scripts from BrowseAloud’s servers in order to provide text to speech. The attackers needed only to break into BrowseAloud’s servers to compromise all of its customers. The cryptocurrency miner used was the now infamous CoinHive Monero (XMR) web miner. CoinHive is designed to allow content producers a way to be paid for the content they provide. CoinHive has since been used in a large number of website compromises, due to its ease of use and its use of the privacy-focused cryptocurrency Monero. Monero allows attackers to remain extremely anonymous, to the point that others can only guess at the profits gained.

Mitigation of the compromise

This attack can be mitigated rather easily for both content providers and content consumers. Content providers need only verify the hash of the script they are serving. As a modified script will have a differing hash to the expected script. Content consumers can make use either of NoScript plugins in their browsers to block all javascript on web pages, or make use of other plugins such as Ublock Origin. Which if configured correctly will block all requests going to CoinHive’s servers.

starbucks mining monero

A Starbucks in Buenos Aires, Argentina was mining Monero (XMR) on customer’s devices without their permission. Twitter user Noah Dinkin noticed that a Starbucks location in Buenos Aires was utilizing their WiFi captive sign-in portal to force a 10-second delay when users first connected to the wifi in order to mine Monero. The user originally assumed that the Starbucks WiFi was attempting to mine Bitcoin, but it was in fact mining Monero. XMR is currently trading at $286.27 according to the Block Explorer Monero Price Index

Starbucks has not responded to the outcry on social media about their use of Coinhive

Coinhive is in-browser software that allows users to mine Monero in-browser with JavaScript using their ‘extra’ CPU power. Coinhive usage has been increasing and expected to increase both legitimately and illegitimately.

The Palo Alto Networks Research Center has stated that they have seen 36,842 instances of Coinhive being implemented. Out of these 36,842 instances, they claim that a large quantity of these fall into the category of ‘compromised’, likely being the result of malicious script injection into vulnerable servers. In some cases, multiple copies have been injected and use up 100% of the user’s available resources. One specific payee identity alone is tied to over 35,000 of these instances.

 

Edit: Since the time of writing, Starbucks issued the following statement:

As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our third-party support provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely.