Government websites in US, UK and Australia hacked to run secret cryptocurrency miner
Thousands of government websites around the world have been hijacked to mine the cryptocurrency Monero. A commonly-used accessibility script was hacked to inject the Coinhive miner into official sites in the US, UK and Australia. One security researcher described it as the biggest attack of its type that he'd seen.
In the UK, websites for the NHS and Information Commissioner's Office were affected; in the US, the United States Courts' site was hit; in Australia, government sites including that of the Victorian parliament were hit by the cryptojacking code. What all of the sites had in common was the fact that they included the text-to-speech accessibility script Browsealoud from Texthelp.
See also:
- Hackers hijack YouTube ads with Coinhive to mine Monero cryptocurrency
- BlackBerry Mobile site hacked to run Monero cryptocurrency miner
- TVAddons: Streaming through Kodi addons protects you from malware and cryptocurrency miners
This is far from being the first time major sites have been used to covertly mine for cryptocurrency using visitors' CPU time. This particular wave of incidents was reported over the weekend by security researcher Scott Helme. He notes that rather than attacking a large number of individual sites, a far more efficient way to target a lot of sites at the same time was to hijack a site that others all pull content from. And this is precisely what happened this weekend.
He shared the news on Twitter:
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... ? pic.twitter.com/xQhspR7A2f
— Scott Helme (@Scott_Helme) February 11, 2018
Writing on his website Helme explains:
We saw a pretty big event take place over the weekend where a 3rd party provider was compromised and their JS library was altered. The alteration introduced a crypto mining script that was then subsequently included on over 4,000 websites that I know of, many of which were Government websites.
The code for Browsealoud was found to have been hijacked to inject the Coinhive miner into a raft of websites, making a profit by using other people's computers to mine for cryptocurrency. As Helme notes, it seems that the script was hacked at some point on Sunday:
It seems like the @texthelp script file was modified between Sun, 11 Feb 2018 02:58:04 GMT and Sun, 11 Feb 2018 13:21:56 GMT according to the @internetarchive:https://t.co/jwKLA6mq7Nhttps://t.co/ZHiUJXBpxC
— Scott Helme (@Scott_Helme) February 11, 2018
Speaking about the scale of the attack to Sky News, Helme said:
This type of attack isn't new -- but this is the biggest I've seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States. Someone just messaged me to say their local government website in Australia is using the software as well.
TextHelp withdrew the plugin as a security measure, and a number of the affected websites were also taken offline. A full investigation is currently underway, and Martin McKay, CTO and Data Security Officer at the company said: "In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away. Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action."
In a statement on its website, Texthelp says:
Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.
The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12:00 GMT. This is to allow time for Texthelp customers to learn about the issue and the company’s response plan.
This compromise has only impacted Browsealoud, no other Texthelp products have been affected.
The spate of compromises is seen as an important reminder about security. Fabian Libeau, vice president of security firm RiskIQ, says:
Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organisation, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. In the case of scripts like Coinhive, it means being able to inventory all the third party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet. Digital threat management software can help companies get covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your attack surface.
Image credit: Inked Pixels / Shutterstock