Crypto-Currency Miner Hits Thousands of Sites via Accessibility Script

The Browsealoud text-to-speech accessibility extension was injected with the Coinhive crypto-currency mining script, leading to unauthorized mining on thousands of sites around the world.

cryptojacking

The ongoing challenge of unauthorized crypto-currency mining has taken a new turn, with thousands of websites having been impacted by a third-party accessibility script.

On Feb. 11, Texthelp reported that its Browsealoud text-to-speech extension was compromised during a cyber-attack. Browsealoud is widely deployed on sites around the world, particularly on government websites that use the tool to help enable better accessibility.

"The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate crypto-currency," Martin McKay, CTO and data security officer at Texthelp, stated. "This was a criminal act and a thorough investigation is currently underway."

Injected into the Browsealoud code was the Coinhive Monero crypto-currency mining code. Coinhive is an in-browser mining script the uses the CPU power of the system it is running on in an attempt to mine crypto-currency. The process of mining crypto-currency involves CPU-intensive calculations for cryptographic hashes to create a new coin. While the altered code from Browsealoud did consume CPU resources on end-user systems, Texthelp said no customer data was accessed or lost.  

"The company has examined the affected file thoroughly and can confirm that it did not redirect any data; it simply used the computers’ CPUs to attempt to generate crypto-currency," McKay stated. "The exploit was active for a period of four hours on Sunday."

The Browsealoud crypto-currency mining attack was first publicly reported by security researcher Scott Helme. According to Helme's analysis, at least 4,275 websites were running the Browsealoud script at the time the crypto-currency mining attack was occurring. Among the sites that were impacted were U.S. websites including uscourts.gov, multiple United Kingdom government sites including the British National Health Service (NHS), and government sites in Sweden and Australia.

"If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the one website that they all load content from," Helme wrote.

It's currently not known how Texthelp was breached, enabling an attacker to modify the Browsealoud code. McKay noted that Texthelp has continuous automated security tests in place for the Browsealoud code base and the Browsealoud tool has now been taken offline to limit further risk.

"This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action," McKay stated.

The Browsealoud incident is the latest in a string of recent unauthorized crypto-currency mining attacks. On Feb. 7, security firm Radiflow reported that attackers had managed to install a crypto-currency miner on a public water utility in Europe. Crypto-currency mining attacks have also gone after unpatched Oracle WebLogic servers, misconfigured SSH servers and even YouTube, as attackers aim to profit from crypto-currency mining.

Content Security Policy

The Browsealoud attack is noteworthy in that it was a third-party script that exposed sites and their end users to risk. There are, however, multiple steps that site owners can take to limit the risk of third-party scripts.

Helme suggests the use of Content Security Policy (CSP) to make sure that unauthorized scripts don't run. The general idea behind CSP is to help limit the risk of third-party scripts by enabling sites to declare where content can be loaded from. As part of CSP, Helme recommends that sites use the Sub-Resource Integrity attribute that is intended to identify if a script has been modified. The script would need to first be properly identified and signed with the SRI Hash Generator.

"You can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute," Helme wrote.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.