U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked

Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4, 275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.

Source: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked

 

Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.

This was first noticed earlier this morning by infosec consultant Scott Helme when he saw that UK government site ico.org.uk was utilizing the the Coinhive in-browser mining (cryptojacking) script. This caused any visitors to the site to use their CPU to mine for the digital currency called Monero.

When Helme investigated further he saw that it wasn’t just this site that started injecting a Coinhive miner, but many other government sites from numerous countries such as uscourts.gov, gmc-uk.gov, nhsinform.scot, manchester.gov.uk, and many more.

The one thing all of these sites had in common was that they utilized a popular text-to-speech accessibility script called BrowseAloud by TextHelp.com. When Helme examined the BrowseAloud script, he saw that this script contained obfuscated code that was injecting the Coinhive miner into all of these websites.

Obfuscated BrowseAloud Script
Obfuscated BrowseAloud Script

When decoded, this script injects the Coinhive cryptojacking script, runs it at 40% CPU utilization, and mines for the 1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq Coinhive account.

Knowing that it was a compromised BrowseAloud script that was injecting the miner, Helme was able to quickly track the script to 4,275 sites that were affected in the incident.

After alerting TextHelp.com about their compromised script, the CTO of TextHelp stated that the script was taken down and would not be enabled again until after an investigation took place.

Disabled BrowseAloud Script
Disabled BrowseAloud Script

BleepingComputer reached out to TextHelp for more information but had not heard back from them at the time of publishing this article. According to a recently published post by TextHelp, the company has stated that an attacker compromised the BrowseAloud script, but no other TextHelp services were affected.

At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber attack.  The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency.  This was a criminal act and a thorough investigation is currently underway.