This script, ba.js, was seemingly modified by a malicious actor to include obfuscated code that made an additional request to a cryptocurrency mining tool CoinHive. End-users who visited one of the affected websites Sunday on February 11, 2018, would have had a crypto-currency miner (CoinHive, known to mine Monero coins) run in the open browser tab.
What is the current state of infection?
As of writing (Monday 12 noon GMT) some of the affected websites have been placed in maintenance mode. For example, the UK’s Information Commissioner’s Office, the entity responsible for upholding information rights in the public interest and the UK’s nominated Supervisory Authority for GDPR requirements:
Other affected websites remain functioning but with Texthelp, the company responsible for the BrowseAloud tool, acknowledging they have automatically removed the script from their customer’s websites:
Should an end-user have browsed to one of the affected websites that used the BrowseAloud script on Sunday February 11, 2018 a crypto-currency miner (CoinHive, known to mine Monero coins) was run on the end-users machine in the open browser tab. Texthelp report the compromise of their script occurred at 11:14am GMT on Sunday February 11.
The infection chain was as below:
<website pulling the BrowseAloud script> ->
At this time we believe the script has not performed any other function apart from cryptocurrency mining.
Texthelp are in the process of cleaning their scripts. They have provided a statement here.
Advice for webmasters
By identifying the source of a script common across thousands of websites a cybercriminal was able to run code on the machines of visitors to these websites.
Ultimately this event brings the issue of trust to the supply chain. A third-party web-code supplier may not have anticipated a threat actor re-purposing their code platform and install base for cryptocurrency mining, or for other rudimentary code injection. Care should be taken to execute code from trusted sources or to at least validate the code being called is that which is expected or normal.
Slight modifications to the way third-party code is run in websites can help mitigate the impact of third-party compromise such as this. It is worth reading researcher Scott Helme’s blog where he describes how to use the Subresource Integrity attribute when calling scripts.
Forcepoint customers are protected against this threat at the following stages of attack:
Stage 3 (Redirect) – The call to CoinHive is categorized as Potentially Unwanted Software, a category which is blocked by default.
We will continue to monitor any developments in this attack.