Clik here to view.
A security consultant based in the UK has discovered cryptocurrency mining scripts embedded on thousands of websites, including many belonging to the UK, US and Australian governments.
Helme provided a list of some 4275 sites that were likely to be victims of the same attack.
Hey @troyhunt, even you're hit down under... pic.twitter.com/oOj98Gkztn
— Scott Helme (@Scott_Helme) 11 February 2018
He tweeted: "I have a list of over 20 .gov.uk .nhs.uk and .ac.uk domains affected so far. Seems to have hit other government sites too including the US and Australia." Helme has a blog post here about how one can avoid falling victim to this kind of attack.
The Queensland Government legislation website appears to be among the Australian sites affected. Other Ausralian sites hit by this attack are the Casey council in Victoria and Queensland's Urban Utilities site.
{loadposition sam08}Some of the other sites Helme listed were ICO, the UK's independent authority set up to uphold information rights in the public interest, the Student Loan Company in the UK, the General Medical Council in the UK, the NHS, and the US courts website.
Seems to be invoked via obfuscated javascript in something called “browsealoud”, which powers their speech reader. So a third party compromise. Whoops. pic.twitter.com/YA8HUlJCHv
— Inquisitor (@inquisitor) 11 February 2018
Helme said that the scripts appeared to have been placed using a third-party compromise and pointed to the script that had been used to effect the compromise.
A browser plugin named Browsealoud, made by the British site Texthelp, which reads out text to those who are visually impaired, appears to have been hacked and infused with a script to mine for the Monero cryptocurrency.
Hey @texthelp you've been compromised, you need to address this ASAP. Their site also has the crypto miner running: pic.twitter.com/fl0U9ssZRr
— Scott Helme (@Scott_Helme) 11 February 2018
There appears to be an increasing trend among malicious attackers to avoid things like ransomware, which draw attention to the attack, and instead use mining scripts which operate silently, as iTWire reported earlier this month, quoting researchers from Cisco's Talos Group.
The popularity of mining scripts has grown to the extent that last week, for the first time, a SCADA system was found to be hosting these scripts.
Let's also clear something else up: As terrible as it is that a crypto miner was injected into all of these sites, in reality, this could have been catastrophically worse. Key loggers, malware, DDoS scripts, BeEF hooks, or, all of the above and more...
— Scott Helme (@Scott_Helme) 11 February 2018