A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.
The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.
Once discovered the hack some sites web down, the ICO also took its website down.
The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.
In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.
The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.
The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.
“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.” said Helme.
“Someone just messaged me to say their local government website in Australia is using the software as well.”
The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.
Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”
Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”
The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Browsealoud plugin, cryptocurrency mining script)
[adrotate banner=”5″]
[adrotate banner=”13″]
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.