Thousands of Government Websites Hacked to Mine Cryptocurrencies
Hackers have exploited a vulnerable plugin across thousands of high level domains to mine Monero cryptocurrency
Thousands of government websites across the globe have been hacked in order to force visitors to mine Monero via the Java-based Coin Hive miner.
It's reported that more than 4,000 websites including the UK Information Commissioner's Office (ICO) and other government sites, including USCourts.gov the Financial Ombudsman Service (financial-ombudsman.org.uk) and a string of otherwise respectable government sites were hacked.
The culprit appears to be a popular plugin called Browsealoud, made by Text Help, which reads out webpages for blind or partially sighted people. Hackers managed to compromise the script files and insert a version of the Coin Hive miner, which in turn infected the entire customer base for the assistive technology. Given the regulatory requirements around accessibility are particularly well-observed (and rightly so) by government departments, they were particularly affected by this attack.
Ilia Kolochenko, CEO, High-Tech Bridge said: “It is a good, albeit sad, example how even the largest organizations depend on cybersecurity of third-parties. The good news is that we see a nascent trend among large companies to evaluate and monitor how well their suppliers and partners manage their information security, incident response and privacy issues.”
In other good news, Coinhive's code is widely detected by antivirus packages and ad-blocking plugins and tools, and only operates while a user has the infected site open in a browser, so ongoing or recurring infection should not be a risk from this particular attack. UK security researcher Scott Helme made the initial discovery of the infection, and made a few notes on the situation in a blogpost.
“This is not a particularly new attack and we've known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there's a pretty easy way to defend yourself against this attack”, he pointed out.
Helme pointed out that using the SRI Integrity Attribute allows the browser to determine if the file has been modified, which can prevent this type of attack, as well as having Content Security Reporting properly setup. “I guess, all in all, we really shouldn't be seeing events like this happen on this scale to such prominent sites”, he concluded.
Meanwhile on Twitter it was reported that Coin Hive had admitted their service was involved, but claimed that the total mined value was just 0.1XMR ($24).
The incident follows a series of warnings over the dangers of inadequate oversight of third party services, especially when viewed against a background of increasing numbers of services on most every day sites. A recent report found that 42 per cent of the top 100,000 websites on the web are using software that leaves them vulnerable to cyberattack, or have already been compromised. Many external data breaches and security incidents involve insecure web applications, due to the pressures on building and maintaining digital tools in the corporate IT environment. High-Tech Bridge’s award-winning Application Security Testing (AST) Platform, ImmuniWeb, helps reduce application risks and get the best ROI from Application Security Testing.