X-Labs
Février 12, 2018

CoinHive cryptocurrency mining script injected into 1000s of government websites via BrowseAloud plugin

Carl Leonard Principal Security Analyst

Over the weekend reports were made of a cryptocurrency mining script injected into government owned and run websites across the US, UK and Australia. The affected websites had a common theme – a script included in all that made a request to a JavaScript file hosted on BrowseAloud<dot>com. 

This script, ba.js, was seemingly modified by a malicious actor to include obfuscated code that made an additional request to a cryptocurrency mining tool CoinHive. End-users who visited one of the affected websites Sunday on February 11, 2018, would have had a crypto-currency miner (CoinHive, known to mine Monero coins) run in the open browser tab.

What is the current state of infection?

As of writing (Monday 12 noon GMT) some of the affected websites have been placed in maintenance mode.  For example, the UK’s Information Commissioner’s Office, the entity responsible for upholding information rights in the public interest and the UK’s nominated Supervisory Authority for GDPR requirements:

Other affected websites remain functioning but with Texthelp, the company responsible for the BrowseAloud tool, acknowledging they have automatically removed the script from their customer’s websites:

Source: https://twitter.com/texthelp/status/962798423941484547

Infection chain

Should an end-user have browsed to one of the affected websites that used the BrowseAloud script on Sunday February 11, 2018 a crypto-currency miner (CoinHive, known to mine Monero coins) was run on the end-users machine in the open browser tab.  Texthelp report the compromise of their script occurred at 11:14am GMT on Sunday February 11.

 

The infection chain was as below:

<website pulling the BrowseAloud script> ->

hXXp://www.browsealoud.com/plus/scripts/ba.js ->

hXXps://coinhive.com/lib/coinhive.min.js?rnd=[random]

 

At this time we believe the script has not performed any other function apart from cryptocurrency mining.

Texthelp are in the process of cleaning their scripts. They have provided a statement here.

JavaScript injection attacks are not a new technique; in fact they are decades old. However, this is another example of a compromised supply chain attack, similar to NotPetya in the summer of 2017.

Advice for webmasters

By identifying the source of a script common across thousands of websites a cybercriminal was able to run code on the machines of visitors to these websites.

Ultimately this event brings the issue of trust to the supply chain.  A third-party web-code supplier may not have anticipated a threat actor re-purposing their code platform and install base for cryptocurrency mining, or for other rudimentary code injection.  Care should be taken to execute code from trusted sources or to at least validate the code being called is that which is expected or normal.

Slight modifications to the way third-party code is run in websites can help mitigate the impact of third-party compromise such as this.  It is worth reading researcher Scott Helme’s blog where he describes how to use the Subresource Integrity attribute when calling scripts.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 3 (Redirect) – The call to CoinHive is categorized as Potentially Unwanted Software, a category which is blocked by default.

We will continue to monitor any developments in this attack.

 

Resources:

Texthelp Statement: https://www.texthelp.com/en-gb/company/corporate-blog/february-2018/data-security-investigation-underway-at-texthelp/

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

À propos de Forcepoint

Forcepoint est une entreprise leader en cybersécurité pour la protection des utilisateurs et des données. Son objectif est de protéger les entreprises tout en stimulant la transformation et la croissance numériques. Nos solutions s’adaptent en temps réel à la façon dont les personnes interagissent avec les données, et offrent un accès sécurisé tout en permettant aux employés de créer de la valeur.