All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
For several hours on Sunday, anyone in Manchester checking when their bins were due to be collected would have been helping to mine cryptocurrency. The website of Manchester City Council – and more than 4,000 others – was infected with code that mined the open-source cryptocurrency Monero. The Information Commissioner's Office (ICO), the US courts website, some NHS bodies, and councils around the UK were also hit.
The websites all had one thing in common: a plugin called Browsealoud. The snippet of code, created by UK firm Texthelp, adds "speech, reading, and translation" functionalities to websites. The software is pretty popular and intended to help people with visual impairments, Dyslexia, and act as an aid for those who aren't native English speakers.
But the technology had been compromised and was actually injecting Coinhive's cryptominer on the sites. The miner injects JavaScript code and uses a computer's processing power (through its CPU) to create the cryptocurrrency Monero.
As a result of the compromised plugin, the ICO shut its websites down and others scrambled to tighten-up their security systems. "We see these mining scripts on everything from porn websites to torrent sites and kids sites that offer to help with homework," says Chris Boyd, a lead malware intelligence analyst at Malwarebytes. "It's very popular."
In the case of Browsealoud, Boyd says it is likely to be one of the first instances where hackers may have installed a miner across multiple websites at once. WordPress websites and the EternalBlue vulnerability have been used to spread Monero miners previously.
The Browsealoud script was hosted on Amazon's Web Services, where it was edited. Texthelp removed the plugin from use and in a statement said it will be offline until February 14. Chief technology officer Martin McKay said it had been hit by a "cyber attack".
"This is probably a result of improper controls put onto the account hosting," says Scott Helme, the security researcher who first flagged the issue on Twitter. At this point, it isn't known who targeted the Texthelp code.
"I think the attackers were trying to be intentionally discreet," he says. The cryptominer was set up to only use 60 per cent of the capability of a computer's processor. If it was at 100 per cent, anyone visiting an infected site would have been left with a frozen device. "I think the fact they haven't gone wild and blown us off the planet is that perhaps they were trying to skate under the radar," Helme adds.
Read more: These are the Bitcoin alternatives to watch in 2018
It's unlikely that the person (or people) behind the software deployment were out to make large amounts of money. To do so they would have needed huge volumes of traffic over a sustained period of time. Boyd says they may have been creating a proof-of-concept instead. "Let's see what sort of crazy thing can be done with these scripts' rather than a serious attempt at making money."
But the attack could have been much more compromising. The Browsealoud plugin is an important part of the software supply chain for the companies using it and attacks on these sort of third-party software aren't new. The NotPetya malware that spread through Ukraine and the US in the summer of 2017, crippling computers as it moved, was disseminated through an update to accounting software used by many businesses. At the start of 2017, computers on university networks in Singapore were targeted through their supply chains. Hacking groups linked to China have also used similar techniques.
"If you're trying to hack a government site or a bank it's probably a wasted effort, you go after the weaker supplier," Helme says. The edited Browsealoud code could have been more malicious and targeted individual users rather than directly trying to make money from their CPUs.
In its statement, Texthelp said no personal data had been stolen. "It could have been a lot worse," Boyd says. Both he and Helme argue that malware could have just as easily been installed on thousands of websites.
"They could have stolen personal data, hijacked people' accounts on various websites, they could have installed malware onto a device, they could have put a keylogger onto it," Helme adds. "They could have turned your computer into a bot on a botnet."
For Boyd, the attack also marks a growing trend to move away from ransomware, which locks files then demands a payment before they can be decrypted. He says Malwarebytes has seen a drop in ransomware during the last six months and this may be linked to the rise in cryptocurrency prices.
"Because the value of bitcoin has gone through the roof over the last six or seven months, there's a lot of ransomware files out there where you can't really change the value that you're asking for," Boyd says. "Rather than that splash of cash with ransomware files, they're going for a long game with these mining scripts."
This article was originally published by WIRED UK
