Over 4000 websites including several belonging to UK and US government agencies were found over the weekend to be running hidden crypto-mining malware.
Security researcher Scott Helme first investigated the website of the Information Commissioner’s Office (ICO) after a tip-off that AV filters were raising red flags.
“At first the obvious thought is that the ICO were compromised so I immediately started digging into this after firing off a few emails to contact people who may be able to help me with disclosure. I quickly realised though that this script, whilst present on the ICO website, was not being hosted by the ICO, it was included by a third-party library they loaded” he explained.
“If you want to load a crypto miner on 1,000 websites you don't attack 1,000 websites, you attack the one website that they all load content from. In this case it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”
It turned out that attackers had compromised a JavaScript file which was part of the Texthelp Browsealout product, adding malicious code which effectively installed the CoinHive miner.
Some of the sites affected by CoinHive included United States Courts, the General Medical Council, the UK’s Student Loans Company, NHS Inform and many others.
Helme argued that mitigating the attack only requires a small code change to how the Browsealoud script is loaded.
“What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page,” he explained.
“To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute.”
The good news is the attack took place on Sunday morning and Texthelp has been quick to recognise the issue and take its service temporarily offline to fix it.
Crypto-mining is an increasingly popular way for cyber-criminals to make money; in fact, many are turning away from ransomware to focus on the new tactic, according to Cisco Talos.
IBM claimed to have seen a six-fold increase crypto-mining malware attacks between January and August 2017.