The Daily Swig Web security digest

‘We’re fortunate that the attackers had a very limited imagination’

James Walker | 16 February 2018 at 11:21

Security researcher Scott Helme takes stock of this week’s BrowseAloud cryptojacking campaign.

One of this week’s biggest cybersecurity stories came from independent researcher Scott Helme, who helped spread the word that more than 4,000 websites – including those of numerous government and public sector organizations – had been subject to a large-scale cryptojacking campaign.

The affected sites, which included the UK’s Information Commissioner’s Office, the General Medical Council, and United States Courts, among many others, all had one thing in common: they were loading script from assistive technology provider, Texthelp.

Texthelp is the company behind BrowseAloud – a solution that makes websites more accessible with easy speech, reading, and translation options.

While the tool aims to give website visitors a better experience, a malicious alteration to the BrowseAloud JavaScript library had the entirely opposite effect, covertly turning users’ devices into Monero miners.

Show me the Monero

It’s now been five days since Helme flagged the cryptojacking campaign. Texthelp is understood to have completed a security review and redeployed BrowseAloud with improved threat detection.

“To the best of my knowledge there is no ongoing risk to customers now,” Helme told The Daily Swig. “Users’ devices would have only been mining whilst visiting one of the affected sites.”

Although a subsequent report from Motherboard indicates that the hackers earned just $24 through their endeavor, Helme took issue with web admins’ sluggish response to a campaign that could have been much worse.

“I don’t think the response was great, at all,” he said. “Most of the sites are still trying to load the file, which has since been taken offline so they’re not currently affected, and it’s been several days since the incident.

“We’re fortunate that the attackers had a very limited imagination. There were ways they could have had a more persistent threat.”

The new normal

The rise of WannaCry, Locky, and Cerber all helped ransomware achieve a banner year in 2017. However, a recent report from Malwarebytes Labs suggests that attackers will pivot to banking trojans, spyware, and cryptocurrency in 2018.

For Helme, the BrowseAloud campaign acts as another indication that hackers’ preferences are indeed shifting. “I do think we will see the rise of cryptojacking and the fall of ransomware,” he stated.

“One problem that ransomware has is the fluctuations in the price of crytpocurrency. One week it might cost $500 to decrypt a file and a month later it’s $5,000. With cryptojacking, you mine the currency and that’s it.”

Helme said the events of the past week demonstrate just how easy it is for attackers to recruit thousands of crypto-mining devices through a single point of access.

“It’s easier to insert the mining code into websites than it is to get malware onto a physical endpoint for ransomware,” he said. “A simple persistent XSS vulnerability, and you’re mining.

“As we saw over the weekend, compromising a third-party library is also a great way to hit thousands of sites with millions of visitors, too. Other viable targets could be large hosting providers and platforms. Imagine the damage that could be caused by attackers loading a crypto-miner into all WordPress websites.”