A UK computer consultant has discovered that thousands of websites around the world have been hacked by ‘miscreants unknown’ and put to work mining the Monero cryptocurrency.
Those infected include many government sites in Australia. UK security researcher Scott Helme discovered the hack and went to UK computer publication The Register, which broadcast the incident and published a list of over 4,000 infected sites. Australian sites infected include qcat.qld.gov.au, casey.vic.gov.au, bayswater.wa.gov.au, parliament.vic.gov.au, and legislation.qld.gov.au.
Major sites affected internationally include the UK’s National Heath Service and the US court information system. The sites were affected through their use of Browsealoud, a utility which translates text to sound for the vision impaired. Sites in the UK Government, a big user of Browsealoud, were particularly affected.
The hacker did not have to break into every site, only Browsealoud, which then infected any site it was associated with. Many websites use ‘plug-ins’ like Browsealound – third party apps which perform a specific task and save the trouble of writing code from scratch.
The software hack altered Browsealoud’s source code to include software from a company called Coin Hive, which has developed an app to ‘mine’ – search websites for – the Monero cryptocurrency. Coin Hive was conceived as a way to help users gain a little extra income – ‘mining’ uses computer power to validate cryptocurrency transactions, for which the miner is given a small amount of the currency.
Mining takes a lot of computer power for a very small return, so successful miners often use other computers’ processing power. That is what this latest hack attempted.
“Third parties like this are absolutely a prime target and have been for some time,” Helme told The Register. “There’s a technology called SRI (Sub-Resource Integrity) designed to fix exactly this problem, and unfortunately it seems that none of the affected sites were using it.
“If you want to load a crypto miner on a thousand websites you don’t attack them all, you attack the one website they all load content from.”
Coin Hive has been blocked by many malware detection companies, such as Malwarebytes. The hack exposed the increasingly nefarious nature of the cryptocurrency world. Bitcoin is the best known, but there are dozens more, and the methods used to propagate them are often shady.
Leading Browsealoud reseller Texthelp said the hack was a criminal act. “In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year,” said Chief Technical Officer Martin McKay. “Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.
“Texthelp has in place continuous automated security tests for Browsealoud. These tests detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
“The attacker did not attempt to extort or ransom money from our customers. The company has examined the affected file thoroughly and can confirm that no customer data has been accessed or lost. The file used the computer’s CPUs only to attempt to generate cryptocurrency.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.