Mining script

Thousands of government and organization websites found serving crypto mining script

As of Sunday, more than 4,200 websites around the world began hijacking visitors’ browsers to mine Monero cryptocurrency.

The attack

The issue was first noticed and partially documented by security researcher Scott Helme:

Among the compromised websites were the UK Information Commissioner’s Office and Financial Ombudsman Service, the US Courts Information Portal, Manchester City Council, City University of New York, Government of Indiana State, Swedish Police and soon.

It didn’t take long for Helme to identify the source of the compromise: Browsealoud, a service run by a UK company Texthelp.

The company offers JavaScript that “adds speech, reading and translation to websites making it easier to access and participate for people with dyslexia, low literacy, English as a second language and people with disabilities. visual light ”.

Apparently, the company’s script server was hacked and the attackers added another obscured script to Browsealoud’s. Its sole purpose was to harness the processing power of visitors ‘computers and, according to Sophos’ Paul Ducklin, the hackers tried to keep the crypto mining operation imperceptible.

“The rogue script that was injected into the Browsealoud server includes code that tries to limit the amount of processing power that crypto mining will steal, possibly in the hope of going unnoticed for longer,” he said. . Noted.

OPIS

“On my dual-core hyperthread Mac running Firefox, for example, the crypto mining code is limited to a single mining process running at 60% of the maximum possible rate.”

Texthelp reacts

Texthelp CTO and Data Security Officer Martin McKay confirmed the breach later today, as well as the script was only intended to mine crypto coins, not steal user data. .

“In light of other recent cyber attacks around the world, we have been preparing for such an incident since last year and our data security action plan was immediately implemented,” he said. he declares. noted.

“Texthelp has implemented ongoing automated security tests for Browsealoud, and these detected the modified file and, as a result, the product has been taken offline. This immediately removed Browsealoud from all of our customer sites, addressing the security risk without our customers having to take action. “

He also said the Browsealoud service has been temporarily taken offline and will remain offline until 12:00 GMT Tuesday so Texthelp customers can learn more about the issue and the company’s response plan.

Their internal investigation is still ongoing, so it’s still unclear whether the compromise of the Browsealoud script was due to an external hack or a malicious insider.

Protection against future attacks

Victims’ browsers were “freed” as soon as they closed any windows or tabs in which one of the compromised sites was open. Users who use any of the many security products that block the Coinhive site have not been affected.

For sites that depend on third-party scripts for some of their functionality, Helme recommends using a technique called SRI (Subresource Integrity).

“Rather than trusting a third party to do nothing untoward, it would be far better to verify that they are not doing anything mean, and that’s exactly what IRS allows us to do,” did he declare. Explain.

“In short, IRS allows us to ask the browser to perform an integrity check on an asset loaded by a third party. By incorporating the base64-encoded cryptographic hash digest that we expect for the asset into the script or link tag, the browser can download the asset and check its cryptographic hash digest against what it expected. If the hash of the uploaded asset matches the hash we provided, the content is what we expected to receive and the browser can safely include the script or style. If the hash doesn’t match, we know that we can’t trust the data and it should be deleted. “

Stealth mining is a big deal

According to a recent 360Netlab analysis, 241 out of 100,000 Alexa Top websites and 629 out of 300,000 Alexa Top websites have a crypto-mining code embedded in their homepage (the full list can be found here).

The mining code is mainly from Coinhive, and almost half of those sites are porn sites.

Stand-alone crypto-mining malware is also widely distributed and can even end up on sensitive machines such as those deployed on SCADA networks or research supercomputers.