ICO & NHS among thousands of websites hacked by sneaky crypto-mining code

The attack

It’s been announced that thousands of websites, including the NHS, Information Commissioner’s Office (ICO) and US government’s court system, have been compromised. The breach involved the mining of crypto coins (digital currency) on the web browsers of anyone visiting these websites.

As a complex and sneaky attack it’s not an easy one to explain, the basic principle is that these hackers weren’t looking to steal data, they were looking to use the browsers of web visitors in order to gain online crypto currency.

All of the affected websites contained the code of a popular plugin called Browsealoud. Created by Texthelp, Browsealoud is an online aid that reads webpages aloud for blind or partially-sighted people. The breach was caused by the code from this plugin being compromised to secretly implant Coinhive’s Monero miner into every webpage featuring Browsealoud.

It’s more than likely that Browsealoud code would be written into every webpage of the affected websites meaning the reach of this hidden threat was vast and more worryingly, completely hidden and unexpected.

This cyber-attack lasted several hours, meaning that anyone who visited a website that has Browsealound ran the hidden code on their computer, completely unbeknown to the user. The only saving grace is that the code only runs while the browser window is open, once closed the code stops mining.

An update to the Browsealoud website read:

“At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and an investigation is currently underway.” – Martin McKay, CTO, Texthelp

Websites breached

There are reportedly over 4,200 websites affected by this cyber-attack, including a number of government bodies, education authorities and other organisations across the globe.

A statement from Texthelp read:

“Texthelp is confident that no customer data has been accessed or lost and we would like to take this opportunity to apologise sincerely for any inconvenience caused during this opportunistic cyber attack.” – Martin McKay, CTO, Texthelp

It’s interesting that hackers chose to hack Browsalound over other more widely-used plugins. I can see two possible reasons why, the first mirrors why the healthcare sector is so frequently targeted; poor protection. Outdated systems and poor to no IT security solutions in place, such as anti-Ransomware, makes healthcare providers a big target.

It’s likely that Browsaloud would have been more susceptible to attacks, as its well-meaning approach may not be as strongly mirrored in the security department.

Another theory would be that visits to government websites and the like are used for a longer period of time. This crypto currency mining attack only works when a browser is open so perhaps the length of time a user may be on the site was considered by the hackers.

Protection against hidden attacks

The saviour in this story comes in the form of UK-based infosec consultant Scott Helme, who recommended the hacked websites approach this form of attack by adopting SRI – Subresource Integrity. This is designed to flag and block hackers trying to infect websites.

The cyber-security mix

This cyber-attack is unlike many that we’ve seen spread across headlines in recent months. This breach was hidden from users and mined their browsers without prior knowledge or consent. This breach also involved opening a back door, in a sense, to some high-profile and widely used websites.

Attacks such as Ransomware depend on the action of users, whether this is opening a suspicious email attachment or clicking on a link. Hackers trying to gain access to user passwords similar to the Cash Converters Breach or the more recent breach of Spotify passwords.

Bolstering security in the wake of cyber-attacks increasing

IT security should be high on the agenda for businesses across the globe. With the adoption of technology widespread and continuing to grow, locking down access to data is critical.

No business is exempt from cyber-attacks, hackers don’t discriminate against the size or type of a business. The attacks on the NHS is proof of this as many vulnerable people were likely affected by the Petya attack. From global shipping company Maersk who lost £234 million because of a Ransomware attack to small business owners who are in some cases forced to close their business when attacked with Ransomware. It’s clear that the cyber criminals behind these breaches will stop at nothing to gain access to your data and hold you to ransom.