Over 4,200 websites around the world, including several in Canada, have learned the hard way to be wary of third-party software used on their websites after being infected with crypto mining malware.
The software, from Texthelp Ltd., is called Browsealoud, text-to-voice reading aid for people with dyslexia, low literacy, mild visual impairments or whose native language isn’t English. On Sunday, February 11 a JavaScript file which is part of Browsealoud product was compromised during a cyber attack, the company admitted, by adding malicious code to the file to use a browser’s CPU to illegally generate cryptocurrency.
Canadian sites possibly compromised include the Toronto-based Centre for Addiction and Mental Health (CAMH), the Ottawa-Carleton District School Board and Ontario’s Information and Privacy Commissioner, the Ontario cities of Cambridge, Pickering and Oshawa, the Ontario government’s community granting Trillium Foundation, B.C.’s Fraser Valley Regional Library, the Multiple Sclerosis Society of Canada and many others, according to an Internet search for the string conducted by British security researcher Scott Helme.
UPDATE: This morning the office of the Information and Privacy Commissioner of Ontario issued a statement: “We can confirm that we were notified by Texthelp that the plug-in Browsealoud used on the IPC website for accessibility purposes was compromised by the use of malicious code, in an attempt to illegally generate cryptocurrency. We know that no IPC data was accessed or lost, and the script has been disabled. Cyberattacks have become an increasingly common threat to information security, and the IPC regularly reviews its security systems to ensure that our network remains uncompromised.”
Others victimized include The City University of New York, the U.S. government’s court information portal, the U.K.’s Student Loans Company, Britain’s Information Commissioner’s Office.
Martin McKay, Texthelp’s CTO and data security officer said in a company blog that “the risk was mitigated for all customers within a period of four hours” after being notified. “Texthelp has in place continuous automated security tests for Browsealoud – these tests detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
To allow customers to investigate and learn more about Texthelp’s actions the service won’t be resumed until today (Feb. 13).
Texthelp says there was no attempt to extort or ransom money from itself or its customers. “The company has examined the affected file thoroughly and can confirm that no customer data has been accessed or lost.”
Cryptomining — sometimes called cryptojacking — is a lucrative scam used by people who crave free CPU cycles to mine for cryptocurrency, particularly because the value of cryptocurrencies have risen sharply in the last 12 months. Cryptocurrencies can be bought through exchanges, of course, but they can also be earned through “mining,” another word for solving complex equations. The reward for solving the equation is a digital coin. Genuine miners buy and chain together computers for their mining; criminals or corporate insiders want to leverage the CPUs of others.
Usually, no end-user data is stolen, but the victim’s machines can become sluggish and therefore there is a loss of productivity.
It’s not only PCs and servers that can be infected. Cryptocurrency mining malware can be found on industrial control systems. One was found on four servers connected to an operational technology (OT) network at a wastewater facility in Europe, industrial cybersecurity firm Radiflow has told SecurityWeek. This morning SecureList detailed how the desktop version of the Telegram instant messaging service could be exploited to launch a cryptominer. The vulnerability has been patched.
‘New business model’ for criminals
“In this new business model,” a blog from Cisco Systems’ Talos threat intelligence service noted in January, “attackers are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.”
A group of 2,000 infected systems could generate US$500 a day, or $182,500 a year, Talos said, depending on the market value of the currency.
In his blog, Helme said Browsealoud’s JavaScript had been altered to include a call that added a CoinHive crypto miner to any web page it was loaded in to.
One possible solution is to create a content security policy that whitelists domains that are only allowed to load data to your website. In this case it would have blocked a link to CoinHive. Another is subresource integrity (SRI), which enables browsers to verify that files they fetch (for example, from a content delivery network) are delivered without being manipulated. According to some sources SRI may need a CORS setting attribute.