COMPUTERS HACKED IN CRYPTOMINER ATTACK: More Than 400 Lab Machines Impacted Across Campus

by TIMOTHY HAMLING & STEPHEN ZUBRYCKY, Senior Writer & Managing Editor

Manhattan College’s computer system was compromised last month in a large-scale, cross-campus effort to mine cryptocurrency.

According to Information Technology Services (ITS), nearly all of the college’s roughly 500 lab computers were compromised in the attack. These included about 430 machines in the Research and Learning Center (RLC), De La Salle Hall and O’Malley Library.

ITS was made aware of the attack late in the day on Feb. 21, when the department received two reports of poor performance on lab computers in RLC. The mining software, operating under the name “NsCpuCNMiner64” was able to chew up as much as 80 or 90 percent of the computers’ processing power.

“Both tickets described slow performance, and then one of them just flat out said, ‘There’s a cryptominer on this computer,” Richard Musal, ITS’ director of client services, said.

Screen Shot 2018-03-04 at 10.19.02 AM
Jake D. Holmquist MANHATTAN COLLEGE/COURTESY

Student- and staff-owned computers and devices were not affected by the attack.

The attack was carried out using an ITS administrator account reserved for use by the department’s student employees.

“We do share a limited-use admin account which gives [student workers] escalated privileges normally meant for doing installation things or stuff required on the lab computers,” Chief Information Officer Jake D. Holmquist said. “That’s the account we’re talking about having been handed out or credentials obtained.”

ITS has since eliminated the administrator credential that had been compromised and taken further steps to close some of the routes by which the attack was carried out.

“We did trace some paths that the attacker probably took. And it looks like the software was installed over the course of about 24 to 36 hours, kind of coming to a culmination that Wednesday [Feb. 21] night,” Director of Enterprise Infrastructure Robert Moran said.

According to Moran, this was name a remote exploit.

“ You have to log into each individual machine [to fix the issue]. We think that the attacker physically sat down and logged into a number of them and then used a remote login to access others, and that’s one of those things that, again, we had open for administration purposes that we have closed,” Moran said.

In addition to the remote login feature, ITS has eliminated the administrator credential that was compromised in the attack.

Extensive steps to eliminate the cryptomining malware were taken the following day.

“Remediation steps were taken on Thursday [Feb. 22] morning to first disable and then remove the malware,” Holmquist said.

The remediation process involved completely reimaging the 430 compromised lab computers.

“During that process, ITS evaluated the risk of effect on performance. We saw that no additional malware was running, which is a good thing,” Holmquist said. “Finally, we took additional precautionary steps to reimage all affected lab computers.”

The investigation has now made its way to Public Safety, who emphasizes the severity and consequences of the attack.

“It’s important that students know a cyber attack like this is taken very seriously. It’s both a violation of both college rules as well as local laws,” Juan Cerezo, director of public safety, said.

“This matter is being handled by Public Safety and we do have a person of interest,” Cerezo wrote in an email.

Neither Public Safety nor ITS could comment on the identity of the suspect.

IMG-1797
The fifth floor O’Malley computer lab was one of several affected labs. ROSE BRENNAN / THE QUADRANGLE.

The term ‘cryptocurrency’ has been gaining prominence in recent months. Bitcoin, one of the most popular forms of cryptocurrency, hit a peak value of nearly $18,000 last December, leading to a surge of interest.

Cryptocurrencies are decentralized digital currencies, meaning that transactions that are carried out using cryptocurrencies are not managed by central organizations such as banks.

However, the cryptominer that was found on Manhattan College’s computers has capabilities that go beyond just Bitcoin.

“This particular miner can actually mine a few different cryptocurrencies and tries to make a decision based on processing power available, the video card in the computer,” said Moran.

In order to keep these cryptocurrency transactions fraud-free, complicated algorithms and encoding functions are used. These functions work using specific values and numbers, called “nonces.”

The task of finding a working nonce that validates a transaction uses a lot of computer processing time and power. Miners must test billions of possible combinations until a correct nonce is found.

The miners that find a valid nonce are given some amount of cryptocurrency as compensation for their effort. By using more computers and working together with other miners, nonces can be found faster and miners will ultimately receive more compensation.

Thus, if a miner had access to a large network of computers, like the one at Manhattan College, he or she could find more nonces faster, yielding more profit.

ITS says the campus computer system is now secure and has confirmed that there was no compromise of confidential information as a result of the attack.

“We classified what the risk was of this running on the machines, and we found there was no risk of compromising sensitive user information,” Holmquist said.

To prevent future attacks, Public Safety and ITS urge vigilance on the part of students.

Associate Director of Public Safety and Risk Management Peter DeCaro recommends that students act in a “see something, say something manner.”

“Cybercrime seems to be the latest thing and you hear about it more and more. Students should know that the best way to catch these attacks is by letting us or IT know,” DeCaro said. “If students ever think something is ever wrong […] in terms of computers, report it.”