More than 5,000 websites, including sites belonging to the UK NHS, ICO, local councils and the Student Loans Company were affected by a cryptocurrency mining campaign that exploited a popular plug-in to infect websites with a malicious script.
Hackers behind the sophisticated operation to mine Monero, a popular cryptocurrency, succeeded in affecting such a large number of websites, some of them owned by government agencies, after they managed to inject a JavaScript fragment to a widely-used plug-in.
The said plug-in, known as BrowseAloud, offers "speech, reading, and translation support" to people suffering from dyslexia and visual impairments, allowing them to access website content. By adding the malicious script to the plug-in, the hackers basically succeeded in covertly mining cryptocurrency on all websites that featured the plug-in.
According to security researchers, the script used by those behind the campaign was CoinHive which is used for mining Monero cryptocurrency. Like in any other typical malicious mining operation, cyber-criminals used processing power from victims' devices to perform calculations needed to generate Monero without alerting users and keeping any cryptocurrency proceeds for themselves.
Researchers at security firm Lastline have confirmed that in order to limit the spread of the malicious script, Texthelp, the company that runs BrowseAloud, has removed the JavaScript from their servers and disabled the BrowseAloud tool altogether. As an added precaution, several government websites, including the website belonging to the Information Commissioner's Office, were taken down to minimise the threat to visitors.
In a press release, the National Cyber Security Centre also confirmed that steps were taken to minimise the impact of the cryptocurrency mining operation.
“NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency. The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.
“At this stage there is nothing to suggest that members of the public are at risk,” said a spokesperson for the department.
The fact that hackers were able to compromise a plug-in to covertly mine Monero hasn't surprised Joseph Carson, chief security scientist at Thycotic, who believes that such activities are now taking place because the costs of mining cryptocurrencies like bitcoin has made it an expensive operation. "It was only a matter of time before cyber-criminals tapped unused resources from other legitimate websites and, ironically, using government resources to mine bitcoin is kind of a twist," he says.
According to Christopher Littlejohns, EMEA manager at Synopsys, the Monero mining operation was initially successful in affecting thousands of websites because injecting a mining script into a plug-in is "relatively easier" compared to exploiting access to personal information or account details.
"The NHS and other government agencies are particular targets due to two key factors, 1. The lack of adequate protections to prevent such attacks, and 2. The high numbers of people visiting the sites. Each infected page visit reaping a reward for the perpetrators. Whilst there will be an initiative to tackle such issues within the public sector, we should expect the criminals to target other high footfall sites or other delivery mechanisms to achieve their aims,” he added.
Fabian Libeau, VP of RiskIQ, says that in order to minimise the impact from compromised plug-ins, security teams must inventory all the third party code running on web assets, and should be able to "detect instances of threat actors leveraging your brand on their illegitimate sites around the internet".