Government Websites Deliver Cryptocurrency Mining CodeSecurity of Code Pushed by Content Delivery Networks Remains Ongoing Concern
More than 4,200 websites, some belonging to the U.S., U.K. and Australian governments, unknowingly turned their visitors' computers into mining machines to harvest the virtual currency Monero for a few hours on Sunday.
See Also: Autonomous Response: Threat Report
The websites use accessibility software called Browsealoud designed to magnify, read aloud or translate text, among other functions. Browsealoud is developed by Texthelp, which has offices in Massachusetts as well as Northern Ireland.
"The company has examined the affected file thoroughly and can confirm that it did not redirect any data, says Martin McKay, Texthelp's CTO and data security officer, in a statement released Sunday. "It simply used the computers' CPUs to attempt to generate cryptocurrency."
Cryptocurrency mining consumes CPU or GPU cycles, which usually goes unnoticed by individuals whose computers have been affected. But the incident could have been engineered for more nefarious aims, including stealing user data.
"The script could have done multiple things," says Scott Helme, a U.K.-based security researcher. "We're lucky the attackers didn't know/realize this or simply chose not to."
According to the list published by Texthelp, affected sites included the National Health Service and local government websites in the U.K., as well as the Information Commissioner's Office, which is the U.K.'s data privacy watchdog. Other government sites, including the U.S. government's federal court website and the government of Queensland in Australia, were also affected.
Mining vs. Ransomware
Over the past few months, security researchers have increasingly seen cryptocurrency mining software inserted into web pages. Many of the incidents involve Monero, a privacy-focused virtual currency.
Unlike bitcoin, Monero can still be mined on consumer-grade hardware. The Coinhive software is intended as an alternative way to monetize website content. In theory, however, websites should disclose the use of the software.
The economics around cryptocurrency mining are so favorable right now that experts say criminal actors are moving away from file-encrypting ransomware.
Cryptocurrency mining "doesn't rely on the victim being willing and/or capable of making payment," writes the U.K.'s National Cyber Security Centre in an advisory on Friday. "It is also not confrontational but is designed to operate undetected in the background over a long period, potentially earning more money than a ransomware campaign."
"Almost every AV and web block I've seen all week have been cryptocurrency mining," writes British security researcher Kevin Beaumont on Twitter. "It's a massive swing. Email macros etc. have seen a massive decrease so far this year, now it's Java RATs (which work on Macs), O365 and Google phishing, and mining. Even ransomware dropping off."
The broader risk for enterprises is a well-known one: How can you guarantee that software developed by others hasn't been compromised?
"If you go after these sorts of supply chain targets that a lot of people use, and you're able to compromise them, compromise the service, compromise the updates that they're pushing down to their customers, it enables you to get a very large swath of potential targets," says Luke McNamara, a principal analyst with FireEye based in Washington. "That's something that's very worrying."
Alan Woodward, a computer science professor at the University of Surrey, describes the problem as a "modern day supply chain security issue."
Woodward tells ISMG: "It's a problem many businesses don't realize they may have and yet if they did they could do something about it."
Helme, the U.K. security researcher, has published a blog post about the Texthelp incident. He says it doesn't appear that Texthelp's servers were directly compromised. Browsealoud's software was hosted on Amazon's S3 service and its CloudFront content distribution network.
That could mean that Texthelp's authentication credentials were either leaked or captured through a phishing attack. Helme says he doubts it was a result of a security compromise at Amazon, but rather that Texthelp may have misconfigured permissions on an S3 bucket. That's a somewhat common mistake that can lead to data breaches.
"Rather than trusting a third party not to do anything untoward, it'd be far better to actually verify that they're not doing anything nasty, and that's exactly what SRI allows us to do," he writes.
Defense: Enable SRI
If cryptocurrency miners continue to pop up, FireEye's McNamara says that enterprises may have to start scanning for and blocking outward connections to mining pools. Computers mining cryptocurrency often participate in pools, or groups of computers, which collectively contribute results of their hashing calculations.
To report the results of the computations, miners have to make outbound connections to those pools, which could be detected, he says.
"That's not necessarily going to prevent that malware running the system if it's been infected, but that will be a way to detect that and certainly decrease the utility of that malware," McNamara says.