Several government web pages from the United States and the United Kingdom were injected with a cryptocurrency mining malware.
Over four thousand websites worldwide, including some run by the U.S. and U.K. governments, were allegedly hacked by cryptojackers.
Scott Helme, a U.K.-based information security consultant, said that the affected sites are all using a specific plugin. This plugin silently injects cryptocurrency mining malware in the site pages.
The plugin, popularly known as BrowseAloud, reads out web pages to help improve the user experience of the visually impaired. While the appears to have been compromised, it is still unclear if the source code has been altered by hackers or by company insiders.
Following the discovery of the malware, U.K.’s data protection watchdog, the Information Commissioner‘s Office, reportedly shut down its website to deal with the issue. According to Helme, he was alerted by a friend who received a malware warning after visiting the ICO website. Since then, the code has been disabled. Visitors are now safe to browse the said site.
“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States,” Helme toldSky News.
The Cryptocurrency Mining Malware
The list of more than four thousand websites affected by the cryptocurrency mining malware was released. Check it out here. Some of the government-run sites on the list include:
- uscourts.gov – website of the United States courts
- in.gov – official website of the State of Indiana
- cookcountytreasurer.com – Cook Country, Illinois treasurer website
- camden.gov.uk – official website of Camden Town in London
- camh.ca – Canada’s Centre for Addiction and Mental Health website
- agriculture.gov.ie – Ireland’s Department of Agriculture, Food, and the Marine website
- legislation.qld.gov.au – Queensland Government’s legislation website
- cambridge.ca – Cambridge, Canada’s official website
- texthelp.com – creator and provider of the text-to-speech technology, Browsealoud
According to a report from The Register on Sunday, the code of the cryptocurrency mining malware was injected in BrowseAloud’s code sometime between 0300 and 1145 UTC. The miner, which uses Coinhive code to mine the Monero virtual currency, only works when an affected page is running. This means that mining automatically perishes upon closing the user’s web browser.
In general, the code could be detected and stopped by antivirus packages or ad-blocking tools. Anyone with a reasonable security suite should not be directly affected.
Stopping the Monero Mining Malware
However, Helme noted that unless websites use this protection, hackers and other cybercriminals will continue to target third-party resource providers like BrowseAloud.
“Third parties like this are absolutely a prime target and have been for some time,” Helme went on to say. “There’s a technology called SRI (Sub-Resource Integrity) designed to fix exactly this problem, and unfortunately it seems that none of the affected sites were using it.”
Apparently, all it takes is to hack one provider like Texthelp, creator and provider of BrowseAloud, to infect numerous websites that use its services. The company has disabled the BrowseAloud service according to a public tweet.
Our Data security investigation underway at Texthelp, statement on our website: https://t.co/KEXFbmDyZE
Browsealoud was automatically removed from all our customers’ websites in response. No action needed by our customers.
— Texthelp for Edu (@texthelp) February 11, 2018
The tweet was later on followed by an official statement from Texthelp, citing that no customer data has been compromised during the attack.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,”Martin McKay, CTO and Data Security Officer at Texthelp, was quoted as saying.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”