Washington State educational organizations targeted in cryptojacking spree

The lucrative nature of cryptocurrency means no industry is safe.

US educational organizations are being targeted by threat actors intent on compromising their networks to covertly mine cryptocurrency. 

Otherwise known as cryptojacking attacks, this form of assault is usually mired in stealth as the overall aim is to quietly install cryptocurrency mining components that leech stolen computational power. 

Miner software abused by cyberattackers may attempt to generate cryptocurrency including Monero (XMR), Litecoin (LTC), Bitcoin (BTC), and Ethereum (ETH), and even if small amounts are mined, compromising large numbers of systems can make these attacks lucrative.  

According to a new advisory released by Palo Alto Network's Unit 42 team, cryptojacking incidents have recently taken place against educational institutions in Washington State.

The researchers say that a UPX-packed cpuminer -- used to mine LTC and BTC -- has been delivered by way of malicious traffic. 

The first attack, spotted on February 16, involved a malicious HTTP request sent to a domain owned by an educational establishment that at first seemed like a "trivial command injection vulnerability," according to the team, but upon further examination, revealed that it was actually a command for a webshell backdoor. 

If deployment is successful, the backdoor is then able to call and execute the cryptomining payload. In addition, the malware will download a mini shell that pretends to be a wp-load.php file.

"Since the mini shell is not moved elsewhere, we speculate that the current directory of the mini shell, as well as the backdoor, is a web directory exposed to the internet," the report says. 

Cryptocurrency mined on infected systems is sent to two wallets owned by the operators (1,2). 

In two other incidents, there were some differences when it came to user agent strings, pass values, and algorithms, but the general attack method remained the same. 

"The malicious request [...] exhibits several similarities," Unit 42 noted. "It's the same attack pattern delivering the same cpuminer payload against the same industry (education), suggesting it's likely the same perpetrator behind the cryptojacking operation."

In March, a study of K-12 schools across the United States revealed a "record-breaking" year of cybersecurity incidents in 2020. The report cataloged over 400 incidents including ransomware, phishing attempts, website defacement, and denial-of-service (DoS) attacks. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0