Security of Code Pushed by Content Delivery Networks Remains Ongoing Concern
More than 4,200 websites, some belonging to the U.S., U.K. and Australian governments, unknowingly turned their visitors’ computers into mining machines to harvest the virtual currency Monero for a few hours on Sunday.
See Also: How to Scale Your Vendor Risk Management Program
The websites use accessibility software called Browsealoud designed to magnify, read aloud or translate text, among other functions. Browsealoud is developed by software firm Texthelp, which has offices in Massachusetts as well as Northern Ireland.
“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, says Martin McKay, Texthelp’s CTO and data security officer, in a statement released Sunday. “It simply used the computers’ CPUs to attempt to generate cryptocurrency.”
Cryptocurrency mining consumes CPU or GPU cycles, which usually goes unnoticed by individuals whose computers have been affected. But the incident could have been engineered for more nefarious aims, including stealing user data.
“The script could have done multiple things,” says Scott Helme, a U.K.-based security researcher. “We’re lucky the attackers didn’t know/realize this or simply chose not to.”
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site… pic.twitter.com/xQhspR7A2f
— Scott Helme (@Scott_Helme) February 11, 2018
According to the list published by Texthelp, affected sites included NHS and local government websites in the U.K., as well as the Information Commissioner’s Office, which is the U.K.’s data privacy watchdog. Sites including the U.S. government’s federal court website and the government of Queensland in Australia were also affected.
Mining vs. Ransomware
Over the past few months, security researchers have increasingly seen cryptocurrency mining software inserted into web pages. Many of the incidents involve Monero, a privacy-focused virtual currency.
Unlike bitcoin, Monero can still be mined on consumer-grade hardware. The Coinhive software is intended as an alternative way to monetize website content. In theory, however, websites should disclose the use of the software.
The economics around cryptocurrency mining are so favorable right now that experts say criminal actors are moving away from file-encrypting ransomware.
Cryptocurrency mining “doesn’t rely on the victim being willing and/or capable of making payment,” writes the U.K.’s National Cyber Security Centre in an advisory on Friday. “It is also not confrontational but is designed to operate undetected in the background over a long period, potentially earning more money than a ransomware campaign.”
“Almost every AV and web block I’ve seen all week have been cryptocurrency mining,” writes British security researcher Kevin Beaumont on Twitter. “It’s a massive swing. Email macros etc. have seen a massive decrease so far this year, now it’s Java RATs (which work on Macs), O365 and Google phishing, and mining. Even ransomware dropping off.”
The broader risk for enterprises is a well-known one: How can you guarantee that software developed by others hasn’t been compromised?
“If you go after these sorts of supply chain targets that a lot of people use, and you’re able to compromise them, compromise the service, compromise the updates that they’re pushing down to their customers, it enables you to get a very large swath of potential targets,” says Luke McNamara, a principal analyst with FireEye based in Washington, D.C. “That’s something that’s very worrying.”
Helme, the U.K. security researcher, has published a blog post about the Texthelp incident. He says it doesn’t appear that Texthelp’s servers were directly compromised. Browsealoud’s software was hosted on Amazon’s S3 service and its CloudFront content distribution network.
It’s also on @uscourts! pic.twitter.com/UyPjzbEsPw
— Scott Helme (@Scott_Helme) February 11, 2018
That could mean that Texthelp’s authentication credentials were either leaked or captured through a phishing attack. Helme says he doubts it was a result of a security compromise at Amazon, but rather that Texthelp may have misconfigured permissions on an S3 bucket. That’s a somewhat common mistake that can lead to data breaches.
“Rather than trusting a third party not to do anything untoward, it’d be far better to actually verify that they’re not doing anything nasty, and that’s exactly what SRI allows us to do,” Helme writes.
Defense: Enable SRI
Chrome and Firefox support SRI, and Helme in 2015 published a blog post explaining how to implement SRI. Troy Hunt, an Australian security expert, has also published advice on how to use SRI.
If cryptocurrency miners continue to pop up, FireEye’s McNamara says that enterprises may have to start scanning for and blocking outward connections to mining pools. Computers mining cryptocurrency often participate in pools, or groups of computers, which collectively contribute results of their hashing calculations.
In order to report the results of the computations, miners have to make outbound connections to those pools, which could be detected, he says.
“That’s not necessarily going to prevent that malware running the system if it’s been infected, but that will be a way to detect that and certainly decrease the utility of that malware,” McNamara says.