Groups Similar Search Look up By Text Browse About

Cryptomining malware spread via US, UK and Australian government sites

Government websites in the US, UK and Australia have been serving visitors cryptomining malware after a third-party service was compromised. The sites are among more than 4,000 affected on Sunday, according to security researcher Scott Helme, after a third-party service they used was infected with the Coinhive cryptocurrency miner. In the UK, affected websites included the Information Commissioner's Office, the Student Loans Company, and the UK National Health Service (NHS) Scotland; in the US,; and in Australia, the Queensland government portal. The compromised service used by all these sites was the Browsealoud JavaScript library, which makes websites accessible via screen reading and translation tools. The incident demonstrates the dangers of not properly securing pages that load in JavaScript libraries hosted by a third party, said Helme, particularly since such libraries are tempting targets for hackers. " If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from," he writes. It leader's guide to the threat of fileless malware (Tech Pro Research). To guard against such exploits, Helme says all sites loading third-party JavaScript libraries should include the Sub Resource Integrity attribute in the HTML script tag that loads the library, as outlined here. " In short, this could have been totally avoided by all those involved even though the file was modified by hackers," the researcher says. "I guess, all in all, we really shouldn't be seeing events like this happen on this scale to such prominent sites. " Helme found that the Browsealoud library was updated to include the cryptocurrency miner at around 3am GMT on Sunday, and the malware appears to have been served to website visitors during a four-hour period that day. Texthelp says Browsealoud has since been removed from "all our customer sites", and added that no customer information was exposed. However, the ICO website was still offline at the time this article was published. Commenting on the incident, a spokesperson for the UK National Cyber Security Center (NCSC), part of the intelligence agency GCHQ, said there is "nothing to suggest that members of the public are at risk", but added that its experts were examining the incidents. The infected script was served via the US Courts website. Also see

Government websites fall prey to cryptocurrency mining hijack

The US, UK, Australia and other countries were affected. It's not just private companies' websites falling victim to cryptocurrency mining hijacks. Security consultant Scott Helme and the Register have discovered that intruders compromised over 4,200 sites with Coinhive's notorious Monero miner, many of them government websites from around the world. This includes the US court info system, the UK's National Health Service and Australian legislatures, among others. The intruders spread their JavaScript code by modifying an accessibility plugin for the blind, Texthelp's Browsealoud, to inject the miner wherever Browsealoud was in use. The mining only took place for several hours on February 11th before Texthelp disabled the plugin to investigate. Government sites like the UK's Information Commissioner's Office also took pages down in response. As with most of these injections, your system wasn't facing a security risk -- you would have just noticed your system bogging down while searching for government info. The mining goes away the moment you visit another page or close the browser tab. The biggest hassle was for the site operators, who are now discovering that their sites are vulnerable to intruders slipping in rogue code without verification. It's not certain who's behind the attempt, but these hijacks tend to be the work of criminals hoping to make a fast profit. The big problem: this might continue to happen for a while. Although antivirus tools can catch Coinhive, a more definitive solution would be to use a fingerprinting technique (subresource integrity) that verifies of outside code and blocks any modifications. And there's no indication that many websites, whether government or private, are in a rush to implement it.