Government websites hacked by coinminers
Australian Government websites were among those hacked and hijacked by a coinmining operation.
More than 4000 government websites worldwide, including a number in Australia, were hacked and hijacked to run a cryptocurrency miner using unsuspecting visitors’ machines.
The hacked websites, which comprise both federal and state government websites — including parliament.vic.gov.au and legislation.qld.gov.au — were compromised to run the Coinhive mining software.
Security researcher Scott Helme discovered the attack and this week published a list of 4275 government websites from around the world that were hijacked by the attackers.
The Coinhive malware is designed to hide in a website’s code, steal the processing power of visitors’ devices and use their CPU cycles to mine for a cryptocurrency known as Monero.
The sites were infected by attacking a popular accessibility browser plug-in called Browsealoud, which is designed to convert text into audio for the visually impaired.
Browsealoud’s developer, UK-based TextHelp, confirmed that the plug-in was compromised during a cyber attack. The attacker inserted malicious code into a JavaScript file that forms part of the plug-in.
Once Browsealoud was compromised, every website which used the infected plug-in was infected automatically. Because Browsealoud was developed in the UK, the list of compromised websites includes a particularly large number of government sites from that nation.
TextHelp CTO and Data Security Officer Martin McKay said the company took the compromised plug-in offline after an automated scan discovered a modified file, and stated that no customer data has been accessed or lost in the breach.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective; the risk was mitigated for all customers within a period of four hours,” he said.
McKay said the company is working with the UK’s National Crime Agency and National Cyber Security Centre to pursue the investigation into the breach.
According to Helme, technology measures exist to prevent attacks of this nature, but none of the compromised websites had been using them. He also noted that the same method used to hijack websites with cryptocurrency mining software could have been used to inject a range of other, more damaging malware such as keyloggers into the websites.
NordVPN CMO Marty Kamden said the large international hack shows that governments do not have strong digital security and are leaving the citizen data they collect exposed to theft.
“For example, UK has the most invasive data collection law that allows government agencies to collect communications data in bulk, and Australia is considering a similar Bill that would allow government agencies to access encrypted communications,” he said.
“All this collected data becomes an easy target for hacking and cybercrime — since governments cannot protect their own sites, we think there will be security issues with stored private data.”
He urged all internet users to share as little information about themselves as possible online and to use a VPN to prevent governments from monitoring their online activity.
The Australian Cyber Security Centre (ACSC) issued an advisory on the attack, noting that organisations using the plug-in do not need to fear that their internal networks or websites are at risk of compromise. The centre confirmed that TextHelp has addressed the security issue and had temporarily taken the plug-in offline while investigations continue.
But the ACSC also advised all organisations to “review their use of third-party website plug-ins and where applicable consider implementing appropriate security controls”. The centre referred to the Open Web Application Security Project (OWASP) advisory on third-party JavaScript management.
There are also client-side browser plug-ins available designed to prevent computer cycles from being hijacked for cryptocurrency mining, such as NoCoin.
Australian cybersecurity researcher Troy Hunt told the ABC that it’s not only government websites that are at risk of being compromised in such an attack — many corporate websites are equally lax about placing restrictions on how website scripts run and which scripts can be trusted.
The attack coincides with a number of other high-profile security incidents involving cryptocurrencies, including the re-emergence of cybercrime group Lazarus targeting Bitcoin users and global financial organisations, and the recent theft of around $216 million worth of Nano coins from Italian coin exchange Bitgrail.
According to research from Australia-born fraud detection start-up ThreatMetrix, cryptocurrency marketplaces have become a prime target for cybercriminals. Fraudulent new accounts are being created using stolen or fabricated identities to launder money, and legitimate accounts are being hacked to make fraudulent payments and unauthorised cryptocurrency transfers.
“Cryptocurrency marketplaces need a more accurate way to verify the identity of new customers who open an account in order to prevent the infiltration of criminals,” ThreatMetrix VP of Marketing Vanita Pandey said.
ThreatMetrix was acquired in January by UK information and analytics company RELX Group for £580 million ($1.02 billion) in cash.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...