Thousands of websites have been infected with code that causes browsers to secretly mine cryptocurrency.
The UK National Health Service (NHS) and Information Commissioner’s Office (ICO) are just two examples of the thousands of websites around the globe that were affected by a major compromise on 11 February.
Many other organisations’ websites were also affected, from the US courts website to the UK Financial Ombudsman Service. The Register reported that the websites using the Browsealoud plugin were all stealthily injected with Coinhive’s Monero miner.
Browsealoud is a popular plugin used to improve accessibility online, reading out website content to users who are partially sighted or blind.
The malicious code was first flagged by UK infosec expert Scott Helme.
Texthelp is the British company behind Browsealoud, and a spokesperson said it had removed the Browsealoud code from the web while it examines exactly how the incident occurred.
More than 4,200 sites in total were infected with the hidden mining code. In general, antivirus package and ad-blockers are adept at detecting and stopping Coinhive’s code, with the miner deactivated once the particular browser tab is affected.
Major opportunity for bad actors
The majority of popular websites use resources from other companies, from screen readers to menu interfaces. This presents a major opportunity for bad actors to tamper with these resources, as all websites using said resource will pull the malicious code into the browsers of every user.
According to Helme, webmasters should try a technique called subresource integrity, which uses a fingerprinting approach to block altered code from being pulled into webpages, nipping any potential attacks in the bud.
Paul Ducklin of Sophos noted that the rogue script injected into the Browsealoud server included code that tried to limit the amount of processing power used for cryptocurrency mining by the affected machine, presumably so the miner can continue its work undetected for a longer time period.
Cryptocurrency miners becoming more common
One positive note is that researchers have not found any other malicious activity as a result as the attack, which seems to be solely focused on mining Monero as opposed to stealing credentials or other private data.
This is not to say another group or individual couldn’t do such a thing, as the massive attack surface of sites using plugins such as Browsealoud makes similar attacks a tempting target for criminals.
The UK National Cyber Security Centre (NCSC) said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.
“The affected service has been taken offline, largely mitigating the issue. Government websites will continue to operate securely. At this stage, there is nothing to suggest that members of the public are at risk.”