Four,000 websites, including UK’s gegevens watchdog
At very first glance a CoinHive crypto miner being served by a webstek whose URL contains the string ‘ICO’ might not seem so strange.
But when you know that ICO te this case stands for the UK’s Information Commissioner’s Office – aka the national gegevens protection and privacy watchdog, whose URL (https://ico.org.uk) predates both Bitcoin and the current craze for token sales – well, the extent of the cryptojacking security snafu quickly becomes apparent.
Strafgevangenis is the ICO the only webstek or government webstek caught serving cryptocurrency mining malware to visitors on every pagina they visited. Thousands of sites were compromised via the same plugin.
Security researcher Scott Helme flagged the kwestie via Twitter yesterday, having bot primarily alerted by another security professional, Ian Trump.
Helme traced the source of the infection to an accessibility plugin, called Browsealoud, created by a UK company called Texthelp.
The web screen reader software wasgoed being used on scores of UK government websites – but also further afield, including on government websites te the US and Australia.
The more I think about this the worse it becomes. Attackers had arbitrary script injection on thousands of sites including many NHS websites here te England. Just zekering and think for a few moments about what exactly they could have done with that capability…
tl,dr: “If you want to stream a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 webstek that they all blast content from,” spil Helme has since blogged about the attack.
Texthelp has also since issued a statement – confirming it wasgoed compromised by (spil yet) unknown attackers, and telling it is investigating the incident.
According to Texthelp the crypto miner wasgoed active for four hours on Sunday – before, the company claims, its own “continuous automated security tests” detected the modified opstopping te Browsealoud and responded by pulling the product offline.
“This eliminated Browsealoud from all our customer sites instantaneously, addressing the security risk without our customers having to take any activity,” it further claims.
However, at the time of writing, the ICO’s webstek remains down for “website maintenance” – having bot taken offline on Sunday soon after Helme raised the waakzaam.
Wij reached out to the ICO with questions and a spokesperson responded with this statement: “We are aware of the punt and are working to resolve it. Wij have taken our webstek down spil a precautionary measure whilst this is done.”
The spokesman added that the ICO’s webstek remains offline today because it’s investigating what it believes is another Browsealoud-associated kwestie.
“The ICO’s webstek will remain closed spil wij proceed to investigate a problem which is thought to involve an punt with the Browsealoud feature,” the spokesperson told us, without elaborating further.
Yesterday the UK’s National Cyber Security Center issued its own statement about the crypto miner attack, writing:
NCSC technical experts are examining gegevens involving incidents of malware being used to illegally mine cryptocurrency.
The affected service has bot taken offline, largely mitigating the kwestie. Government websites proceed to operate securely.
At this stage there is nothing to suggest that members of the public are at risk.
Texthelp has also claimed that no customer gegevens wasgoed “accessed or lost” spil a result of the attack, telling te its statement yesterday that it had “examined the affected verkeersopstopping meticulously and can confirm that it did not redirect any gegevens, it simply used the computers CPUs to attempt to generate cryptocurrency”.
Wij’ve also reached out to Texthelp for any updates on its investigation – at the time of writing the company has not responded.
But even if no user gegevens has indeed bot compromised, spil it’s claiming, the bald fact that government websites were found to be loading a CoinHive crypto miner which clandestinely and thus illegally mined cryptocurrency plus mass is hugely embarrassing. (Albeit, spil Helme points out, the attack could have bot much, much worse. A little CPU burn is not, for e.g., stolen credit card gegevens.)
Still, Helme also argues there is added egg-on-face here – perhaps especially for the ICO, whose mission is to promote gegevens protection best practice including sturdy digital security – because the attack would have bot trivially effortless to prevent, with a petite switch to how the third party JS script wasgoed loaded.
Te a blog postbode detailing the incident he describes a method that would have mitigated the attack – explaining:
What I’ve done here is add the SRI Integrity Attribute and that permits the browser to determine if the opstopping has bot modified, which permits it to reject the verkeersopstopping. You can lightly generate the suitable script tags using the SRI Hash Generator and surplus assured the crypto miner could not have found its way into the pagina. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is permitted to fountain on the pagina without an SRI integrity attribute. Te brief, this could have bot totally avoided by all of those involved even tho’ the opstopping wasgoed modified by hackers. On top of all of that, you could be alerted to events like this happening on your webpagina via CSP Reporting which is literally the reason I founded Report URI. I guess, all te all, wij truly shouldn’t be witnessing events like this toebijten on this scale to such vooraanstaand sites.
Albeit he does also describe the script the ICO used for loading the problem JS opstopping spil “pretty standard”.
So it does not look like the ICO wasgoed doing anything especially unusual here – it’s just that, well, a national gegevens protection agency should most likely be blazing a trail te security best practice, rather than sticking with riskier bog standards.
Not to single out the ICO too much tho’. Among the other sites compromised te the same attack were US courts, the UK’s financial ombudsman, numerous local government websites, National Health Service websites, higher education websites, theatre websites and Texthelp’s own webstek, to name a few.
And with volatile cryptocurrency valuations clearly incentivizing cryptojacking, this type of malware attack is going to remain a problem for the foreseeable future.
Also blogging about the incident, and the SRI + CSP defense proposed by Helme, web security pro Troy Hunt (of haveibeenpwned.com gegevens breach search service fame) has a bit more of a nuanced take, pointing out that third party plugins can be provided spil a service, rather than a static library, so might need (and be expected) to make legitimate switches.
And therefore that the broader kwestie here is how websites are creating dependencies on outward scripts – and what can be done to fix that. Which is certainly more of a challenge.
Perhaps especially for smaller, less well-resourced websites. At least spil far spil government websites go, Hunt argues they should certainly should be doing better te shutting down thesis types of web security risks.
“They should be using SRI and they should be only permitting trusted versions to run. This requires both the support of the service (Browsealoud) not to arbitrarily modify scripts that subscribers are dependent on and the suitable processes on behalf of the dev teams,” he writes, arguing that government websites need to take thesis risks gravely and have a prevention project incorporated into their software management programs – spil standard.
“There are resources mentioned above to help you do this – retire.js is a ideal example spil it relates to client-side libraries,” he adds. “And yes, this takes work.”
But if the ICO isn’t going to do the work to lock down web application risks, how can the national gegevens watchdog expect everyone else to?
Is the tl,dr that good security takes some programma? If so, yes, I agree