Websites across the globe, including several Australian government sites, have been infected with malware that forces visitors’ computers to mine cryptocurrency without their knowledge.
The attack hit the official website of the Victorian parliament, as well as Queensland’s legislation site, Civil and Administrative Tribunal, Community Legal Centre and ombudsman. Elsewhere, YouTube and the UK government were among more than 4,000 sites reportedly affected.
The process, known as cryptojacking, generates virtual money for the attack’s perpetrators, while draining users’ CPU, causing their computers to slow down.
How does it work?
The attackers exploited a vulnerability in Browsealoud, a plug-in that converts website text to audio for the visually impaired, allowing them to insert a script that made a request to cryptocurrency mining tool Coinhive. The tool then manipulated users’ computing power to mine for controversial cryptocurrency Monero.
The makers of the plug-in, Texthelp, quickly confirmed that it had been exploited, and took Browsealoud offline to prevent the script from continuing to run.
For all the damage that the attack caused, it has reportedly only generated $24 USD for the criminals – a sum that Monero said it won’t pay out.
Affected sites could have prevented the attack
Scott Helme, a British-based security researcher who discovered the malware, told the Guardian that government websites could have done more to prevent the attack.
“When you load software like this from a third party, that third party can change it and make it do whatever they want,” he said.
“There are easy ways to make sure they don’t do that. We don’t know how Texthelp were compromised yet, so it is hard to say whether they were really unlucky or there was some kind of inherent problem with what they were doing.
“But there were ways the government sites could have protected themselves from this. It may have been difficult for a small website, but I would have thought on a government website we should have expected these defence mechanisms to be in place.”
The defences Helme is referring to is probably penetration testing. An effective test would have identified the vulnerability and given the affected organisations an opportunity to put corrective actions in place.
Regular web application penetration tests can find security problems in websites and web applications. Testers review server systems, static content and server-side programs that implement the application logic to identify insecure development practices in the design, coding and publishing of software.
Penetration testers will also provide recommendations for improving your security posture. Depending on the vulnerability, they might advise adjusting your organisation’s processes to keep untrusted data separate from commands and queries, developing strong authentication and session management controls, or separating untrusted data from active browser content.
IT Governance offers fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.