A number of government websites in the UK, US, and Australia, including the UK Information Commissioner’s Office (ICO), have been compromised by cryptojacking malware.
According to security researcher Scott Helme, over 4,000 websites have been affected.
The security consultant was made aware of the scheme after another security expert, Ian Thornton-Trump, pointed out that the ICO’s website had a cryptominer installed within the domain’s coding.
Helme confirmed the findings on Twitter, and upon further exploration, discovered that the mining code was present on all of the ICO’s web pages.
It was not long before the researcher realized far more than the ICO had been compromised. Websites including the UK’s Student Loans Company (SLC), the UK National Health Service (NHS) Scotland, the Australian Queensland government portal, and US websites were also affected, such as uscourts.gov.
Cryptocurrency mining software is not illegal and some websites have begun tinkering with plugins that borrow visitor CPU power to mine virtual currency, potentially as an alternative for advertising.
However, malware which installs such mining software without consent is fraudulent and can slow down visitor systems when legitimate websites are serving up mining scripts.
The researcher traced the code found in the ICO website to a third-party plugin, Browsealoud, which is intended to assist visually impaired visitors to website domains.
The plugin’s developers, Texthelp, confirmed that the plugin had been compromised to mine cryptocurrency.
Any website using the plugin and loading the file would then unwittingly load the cryptocurrency miner with it. As a result, it is not the websites themselves that have been internally compromised, but rather a third-party service that was tampered with for the purpose of cryptojacking.
“If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the one website that they all load content from,” Helme noted. “In this case, it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”
A public search on PublicWWW revealed that up to 4,275 websites may have loaded the infected script and mined cryptocurrency by borrowing visitor processing power as a result.
At the time of writing, the Browsealoud website is not accessible.
Texthelp said no customer information has been exposed due to the security lapse, and “Browsealoud [was removed] from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
The exploit was active for roughly four hours on Sunday.
Texthelp intends to keep the plugin offline until 12.00pm GMT on Tuesday to “allow time for Texthelp customers to learn about the issue and the company’s response plan.”
Helme says that this attack vector is nothing new, but it would have taken a simple tweak to the loading script to prevent it happening in the first place. By altering the standard coding to load a .js file to include the SRI Integrity Attribute, which allows a browser to determine whether or not a file had been modified, the entire campaign could have been “completely neutralized.”
“In short, this could have been totally avoided by all of those involved even though the file was modified by hackers,” the researcher says. “I guess, all in all, we really shouldn’t be seeing events like this happen on this scale to such prominent sites.”
At the time of writing, the ICO website is not available.
On Sunday, the UK National Cyber Security Center (NCSC), part of the GCHQ intelligence agency, said that there is “nothing to suggest that members of the public are at risk.”
“NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency,” an NCSC spokesperson said. “The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.”