Thousands of websites, including those belonging to NHS services, the Student Loans Company and several English councils, have been infected by malware that forces visitors’ computers to mine cryptocurrency while using the site. Late on Sunday, the website of the UK’s data protection watchdog, the Information Commissioner’s Office, was taken down to deal with the issue after it was reportedly infected by the malware.
Commenting on this, Christopher Littlejohns, EMEA Manager at Synopsys said:
“This incident is another classic software supply chain management issue. In this particular case an accessibility enhancing plugin to aid the blind and partially sighted was modified to enable the bitcoin mining whenever a web page that incorporated the plugin was visited. On government run, high volume sites, this could be very lucrative as the hourly footfall on such pages would be considerable, thereby motivating the criminal gang behind this attack. This will be a theme as long as there is money to be made by cryptocurrency mining. It’s a relatively easy way to make money without the need to exploit access to personal information or account details, in this sense it is much harder to track the criminals. The NHS and other government agencies are particular targets due to two key factors, 1. The lack of adequate protections to prevent such attacks, and 2. The high numbers of people visiting the sites. Each infected page visit reaping a reward for the perpetrators. Whilst there will be an initiative to tackle such issues within the public sector, we should expect the criminals to target other high footfall sites or other delivery mechanisms to achieve their aims.”
Steve Giguere, lead EMEA engineer at Synopsys added:
“This issue here is larger than the crypto-mining malware itself. Over the past 10 years, the browser has changed from being a passive window onto the internet to a fully functional multi-purpose application portal with a comprehensive attack surface.
This malware came from a hack on a browser plug-in for visual or literacy impairments. This time it was used to mine crypto-currency but there’s reason to suggest the same mechanism could also be employed for DDoS (distributed denial of service). Designers of trusted plug-ins may have either underestimated the security requirements of their own SDLC, never thought themselves a target, or, as plug-ins are often designed by smaller teams with lower budgets, simply didn’t have the expertise to harden their development environment to prevent compromise.
As Hackers are always looking for a weak link, we can expect browser plug-ins will continue to be an active target to exploit the distributed horse-power of browser based computing. In this particular incident, a plug-in which would be used by an organisations who have a large user base and have demonstrated in the past (WannaCry) a potential to be an easy target, no doubt incentivised the attackers.”