Visitors to the website of the Information Commissioner’s Office (ICO) have been infected with Monero-mining malware after the website was compromised by hackers.
The ICO’s website was taken offline over the weekend while systems administrators attempted to fix the problem, and is still unavailable on Monday morning.
Security researcher Scott Helme traced the issue to a browser plug-in called Browsealoud, a service intended to help people with impaired vision use the web.
He explained on his blog that it’s far easier for hackers to compromise a plug-in used by lots of sites, than to attack them all directly.
The sheer number of sites affected by this is huge and some of them are really prominent government websites!
“If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the one website that they all load content from. In this case it turned out that Text Help, an assistive technology provider [found on Browsaloud], had been compromised and one of their hosted script files changed.”
He added that a file had been edited to include a write instruction which added the malware, which was then active on every site using the service.
ba.js had been altered to include a
document.write call that added a CoinHive crypto miner to any page it was loaded in to. This is a pretty bad situation to be in and any site that loads that file will now have the crypto miner installed. The sheer number of sites affected by this is huge and some of them are really prominent government websites!”
However, what’s especially embarrassing for the ICO, the UK’s body set up to uphold, publicise and enforce data protection legislation, is that this form of attack can be fairly easily thwarted, said Helme.
“This is not a particularly new attack and we’ve known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there’s a pretty easy way to defend yourself against this attack. Let’s take the ICO as an example, they load the affected file like this:
“That’s a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner… Want to know how you can easily stop this attack?
< script src="http://www.browsealoud.com/plus/scripts/ba.js" integrity="sha256-Abhisa/nS9WMne/YX+dqiFINl+JiE15MCWvASJvVtIk=" crossorigin="anonymous"> < /script>
“That’s it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I’ve done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page.
“I guess, all in all, we really shouldn’t be seeing events like this happen on this scale to such prominent sites,” he concluded.