Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
Government Websites Deliver Cryptocurrency Mining Code
Security of Code Pushed by Content Delivery Networks Remains Ongoing ConcernMore than 4,200 websites, some belonging to the U.S., U.K. and Australian governments, unknowingly turned their visitors' computers into mining machines to harvest the virtual currency Monero for a few hours on Sunday.
See Also: AI and ML: Ushering in a new era of network and security
The websites use accessibility software called Browsealoud designed to magnify, read aloud or translate text, among other functions. Browsealoud is developed by Texthelp, which has offices in Massachusetts as well as Northern Ireland.
But someone modified a JavaScript library within Browsealoud to include Coinhive, which is a JavaScript tool for mining Monero. Mining is the process by which transactions are confirmed within Monero's blockchain. Computers that participate in the process can be rewarded by receiving a small slice of the virtual currency.
Texthelp says the malicious code ran for about four hours before its security systems caught it. The company took Browsealoud offline, which immediately removed the code - and the mining attacks - from affected websites. The JavaScript didn't do anything else malicious on users' computers, but the incident remains under investigation, Texthelp says.
"The company has examined the affected file thoroughly and can confirm that it did not redirect any data, says Martin McKay, Texthelp's CTO and data security officer, in a statement released Sunday. "It simply used the computers' CPUs to attempt to generate cryptocurrency."
Cryptocurrency mining consumes CPU or GPU cycles, which usually goes unnoticed by individuals whose computers have been affected. But the incident could have been engineered for more nefarious aims, including stealing user data.
"The script could have done multiple things," says Scott Helme, a U.K.-based security researcher. "We're lucky the attackers didn't know/realize this or simply chose not to."
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... pic.twitter.com/xQhspR7A2f
— Scott Helme (@Scott_Helme) February 11, 2018
According to the list published by Texthelp, affected sites included the National Health Service and local government websites in the U.K., as well as the Information Commissioner's Office, which is the U.K.'s data privacy watchdog. Other government sites, including the U.S. government's federal court website and the government of Queensland in Australia, were also affected.
Mining vs. Ransomware
Over the past few months, security researchers have increasingly seen cryptocurrency mining software inserted into web pages. Many of the incidents involve Monero, a privacy-focused virtual currency.
Unlike bitcoin, Monero can still be mined on consumer-grade hardware. The Coinhive software is intended as an alternative way to monetize website content. In theory, however, websites should disclose the use of the software.
The economics around cryptocurrency mining are so favorable right now that experts say criminal actors are moving away from file-encrypting ransomware.
Cryptocurrency mining "doesn't rely on the victim being willing and/or capable of making payment," writes the U.K.'s National Cyber Security Centre in an advisory on Friday. "It is also not confrontational but is designed to operate undetected in the background over a long period, potentially earning more money than a ransomware campaign."
Plus, if the mining code is pushed via JavaScript through a web page, no exploit is needed, although exploit-based methods are still used to deliver miners.
"Almost every AV and web block I've seen all week have been cryptocurrency mining," writes British security researcher Kevin Beaumont on Twitter. "It's a massive swing. Email macros etc. have seen a massive decrease so far this year, now it's Java RATs (which work on Macs), O365 and Google phishing, and mining. Even ransomware dropping off."
Stopping Miners
The broader risk for enterprises is a well-known one: How can you guarantee that software developed by others hasn't been compromised?
"If you go after these sorts of supply chain targets that a lot of people use, and you're able to compromise them, compromise the service, compromise the updates that they're pushing down to their customers, it enables you to get a very large swath of potential targets," says Luke McNamara, a principal analyst with FireEye based in Washington. "That's something that's very worrying."
Alan Woodward, a computer science professor at the University of Surrey, describes the problem as a "modern day supply chain security issue."
Woodward tells ISMG: "It's a problem many businesses don't realize they may have and yet if they did they could do something about it."
Helme, the U.K. security researcher, has published a blog post about the Texthelp incident. He says it doesn't appear that Texthelp's servers were directly compromised. Browsealoud's software was hosted on Amazon's S3 service and its CloudFront content distribution network.
It's also on @uscourts! pic.twitter.com/UyPjzbEsPw
— Scott Helme (@Scott_Helme) February 11, 2018
That could mean that Texthelp's authentication credentials were either leaked or captured through a phishing attack. Helme says he doubts it was a result of a security compromise at Amazon, but rather that Texthelp may have misconfigured permissions on an S3 bucket. That's a somewhat common mistake that can lead to data breaches.
Checking the signing key for Browsealoud wouldn't have help. The tampered file was written in JavaScript, so it wouldn't have been signed, Helme says.
But the tampering could have been detected by checking expected cryptographic hash digest of the JavaScript file using subresource integrity, or SRI, Helme writes. It's a way for website operators to warn their users if a file delivered by a CDN isn't the one that was supposed to be delivered.
"Rather than trusting a third party not to do anything untoward, it'd be far better to actually verify that they're not doing anything nasty, and that's exactly what SRI allows us to do," he writes.
Defense: Enable SRI
Chrome and Firefox support SRI, and Helme in 2015 published a blog post explaining how to implement SRI. Troy Hunt, an Australian security expert, has also published advice on how to use SRI.
If cryptocurrency miners continue to pop up, FireEye's McNamara says that enterprises may have to start scanning for and blocking outward connections to mining pools. Computers mining cryptocurrency often participate in pools, or groups of computers, which collectively contribute results of their hashing calculations.
To report the results of the computations, miners have to make outbound connections to those pools, which could be detected, he says.
"That's not necessarily going to prevent that malware running the system if it's been infected, but that will be a way to detect that and certainly decrease the utility of that malware," McNamara says.