Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Crypto Mining Malware Infects Thousands of Websites

Hacked Script Infects Several Government Sites with Cryptominer

Hacked Script Infects Several Government Sites with Cryptominer

The websites of numerous government, health and education organizations worldwide were infected with a crypto-currency miner over the weekend, after a script running on all of them was maliciously modified.

The culprit was Browsealoud, a script developed by Texthelp to add “speech, reading, and translation to websites.” The software was designed to provide access and participation to people with Dyslexia, Low Literacy, English as a Second Language, and to those with mild visual impairments, the company says.

Over the weekend, Texthelp was the target of a cyber-attack that resulted in a JavaScript file, part of the Browsealoud script, being modified. Because of that, Browsealoud would inject a Coinhive cryptojacking script into the visitors’ browsers, to turn them into crypto-currency mining machines.

“At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber-attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway,” the company revealed in a blog post.

As a result of this attack, numerous government websites in the United Kingdom, the United States, and Australia were infected with the crypto-mining software.

As Scott Helme, the researcher who noticed the malicious script quickly discovered, a total of 4275 websites were impacted in this attack, including prominent sites such as UK’s Information Commissioner’s Office, the NHS, the General Medical Council, U.S. Courts, academic websites, and many others.

“The ba.js
had been altered to include a document.write call that added a CoinHive crypto miner to any page it was loaded in to. The sheer number of sites affected by this is huge and some of them are really prominent government websites,” Helme points out.

Advertisement. Scroll to continue reading.

The reason so many websites were impacted isn’t only the ease of use Browsealoud promises, as admins only need to copy and paste one script to take advantage of it, but also regulatory requirements around accessibility that many sites need to comply with, especially government sites.

Soon after realizing the cause of the infection, Helme notified Texthelp, which decided to take Browsealoud offline, thus removing it from all of their customer sites immediately. The company claims that taking the product down allowed them to address the issue without requiring customers to take action.

“Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday,” Martin McKay, CTO and Data Security Officer, Texthelp, says.

McKay also noted that, although the issue has been addressed, Browsealoud will remain offline until Tuesday, so that customers could be informed on the issue. He also pointed out that no other Texthelp products have been affected.

“A security review will be conducted by an independent security consultancy. The investigation is ongoing, and customers will receive a further update when the security investigated has been completed,” McKay concluded.

UK’s National Cyber Security Centre also said they were examining the incident.

“The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk,” the NCSC said.

However, it appears that the issue might have not been completely resolved, as Helme points out on Twitter. The researcher claims that even today the malicious script attempts to load when accessing the UK’s Information Commissioner’s Office website, likely from cache. This means that returning visitors might still be impacted.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: 30 Million Possibly Impacted in Crypto-Currency Mining Operation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.