Mining malware is spreading like wildfire, every week now we run another story on some platform or other falling victim to it. As cryptocurrencies become far more lucrative than ransomware or identity theft incidents of exploits will only increase. Various governmental departments in Australia and the UK were found frantically calling the tech guys over the weekend as their websites were compromised.
According to the Guardian as many as 5,000 websites were infected with a variant of the Coinhive mining malware. In the UK they included websites of National Health Services, the Student Loans Company, and several English councils in addition to the UK’s data protection watchdog, the Information Commissioner’s Office. They have all been taken offline to deal with the issue.
Compromised plugin
The malicious miner came from a compromised plugin called BrowseAloud which enables blind and partially sighted people read content on websites. The script had the same operation as has been seen many times before; hijacking the machine’s hardware to mine for Monero. XMR is the number one crypto currency for criminals now since it is encrypted and anonymous leaving no trace to the destination wallets.
Plugin authors, Texthelp, took their own website offline to patch the compromised software;
“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers’ CPUs to attempt to generate cryptocurrency, The exploit was active for a period of four hours on Sunday. The Browsealoud service has been temporarily taken offline and the security breach has already been addressed,”
The security consultant who documented the attack told media;
“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States. There were ways the government sites could have protected themselves from this. It may have been difficult for a small website, but I would have thought on a government website we should have expected these defence mechanisms to be in place.”
Australian government websites using the same plugin were also compromised. They included the Victoria parliament, the Queensland Civil and Administrative Tribunal, the Queensland ombudsman, the Queensland Community Legal Centre, and the Queensland legislation website.
Porn perps
According to researchers at China’s 360Netlab porn websites are responsible for the majority of mining malware on the internet. It analyzed the relationship between domain names and prevalence of malware that hijacks computer hardware. Unsurprisingly 49% of those domain names containing the malware were porn sites.
Cyber security firm Symantec predicted that in-browser mining would turn into an “arms race” in 2018, brought about as attackers devise even more inventive and invasive ways of mining cryptocurrencies using other people’s hardware and energy.