U.K and U.S websites hit by Monero-mining malware

Government sites were hijacked by a hidden script of Monero miner

UK and US government websites were mining Monero cryptocurrency

Almost 5 thousand websites were hit by a stealth crypto-mining malware, including government sites like manchester.gov.uk, ico.org.uk, uscourts.gov, etc[1]. The malicious code was injected after the criminals managed to hack the popular plug-in.

Yesterday, UK's government site, ico.org.uk, was spotted using Coinhive's crypto-mining code which means that CPU power of every user on the page is being exploited to mine Monero cryptocurrency. Proceeding with the investigation, it was found this page is not the only one utilizing Coihive's miner — many other government sites were also compromised.

Here is the faction of the list of affected sites:

  • Manchester.gov.uk;
  • legislation.qld.gov.au;
  • NHSinform.scot;
  • ouh.nhs.uk;
  • agriculture.gov.ie;
  • Croydon.gov.uk;
  • cuny.edu;
  • financial-ombudsman.org.uk;
  • uscourts.gov;
  • ico.org.uk;
  • lu.se;
  • slc.co.uk;
  • and many others.

Compromised plugin contained an obfuscate code which was injecting Coinhive miner

During the analysis, experts found that all of the affected websites were using the same Browsealoud plugin produced by the famous British tech company Texthelp[2]. It helps people with disabilities, such as partial or full blindness to access the pages by reading out the text.

Texthelp has confirmed that their software was hacked on Sunday and active for four hours until it was taken offline[3]. The script of Browsealoud plugin contained as obfuscate code which when decoded injects Monero-miner to the website and exploits 40% of users' computing power to mine cryptocurrency.

Data security officer of Texthelp, Martin McKay said that the security software of Browsealoud has detected the malicious code and helped to prevent further spread[4]:

Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.

Additionally, he said that the breach hadn't affected customer data:

Texthelp can report that no customer data has been accessed or lost.

Using Content Security Policy and Subresource Integrity can help protect sites from cryptojacking attacks

Experts say that Subresource Integrity (SRI) is a great way to avoid such cyber attacks. It is designed to check the hash of the script which browser attempts to load and compare it to the one which is identified by the owner of the website. If they match, the browser will load the page. Otherwise, it will be blocked. Also, combining SRI with Content Security Policy (CSP) would only strengthen the shield protecting against cryptojacking.

Also, computer users are advised to use professional antivirus software which would help them to detect and identify sites running Monero miner[5]. This way, they would avoid the exploitation of their computers' resources and harmful consequences which might appear as a significant decrease in system's performance.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions