Burglars have implemented a miner’s script into thousands of sites, including UK and US government resources

Thousands of sites around the world on a variety of topics mine Monero cryptocurrency for several hours without the knowledge of their own administration and site visitors. The problem is that the crypto liner was infected with a plugin called Browsealoud , created by Texhelp. The plugin is designed for people with vision problems, it automatically reads text from the screen for those users who either do not see at all, or see, but poorly.

The plugin was hacked, and unknown to it while the attackers downloaded the miner code of the cryptocurrency Monero. The miner is well known - this is Coinhive, which is popular among "crypto-crackers". Yesterday, thousands of sites with compromised plug-in for several hours earned cryptocurrency for attackers. The total number of sites that were affected by burglary, amounted to 4200 addresses .

These include many US government sites, government resources in the UK and Austria, and others. Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au - only a small fraction of those sites that were infected by the miner. The network has preserved both “clean” pages in the cache, without a miner , and with it . The script itself only works when the user opens a page with him. It is impossible to infect your PC - here the calculation is on mining with the help of visitors from various resources.



Interestingly, the embedded code was obfuscated, but the protection is not very good. When translated into ASCII, the script reveals all its secrets.

For the first time, the miner code was discovered by network security consultant Scott Helm, after which the fact of infection of many sites was confirmed by The Register resource. A consultant and other experts advise site owners to use specialized technology called SRI (Subresource Integrity). The technology prevents the possibility of intruders infecting websites by injecting some kind of code.

If no action is taken, then no one is protected from the actions of burglars. The fact is that a huge amount of resources uses plug-ins, extensions, interfaces and third-party themes. If the source version of any of the above contains embedded code, it will gradually spread to all those resources that use borrowed elements.

Well, SRI uses verification of authenticity of the code. If something is wrong, then the infected script will not be loaded.

After it became known about the burglary, Texthelp announced that it had already removed the malicious code from its plug-in, so that now no one will have problems. In addition, the plugin is already protected from infections of the type that was used in the current case. Therefore, in the future, the same plug-in can be used without any problems (of course, until someone finds another vulnerability and takes advantage of it).

On Twitter, company representatives reported that experts began to solve the problem as soon as they learned about it. "Our boot service was temporarily stopped for the duration of the investigation." The company also said that the problem was solved so quickly because since last year, Texthelp has a plan to eliminate the consequences of hacking. This plan is regularly updated and tested in training mode.

In addition to solving the problem, the company also managed to ensure that user data (meaning plug-in users) were not stolen or lost. Everything is in place.

As for the miner himself, the attackers do not always install it. Sometimes this is done by site creators / administrators. For example, not so long ago, the ThePirateBay tracker team installed the same miner on the resource pages, after which money began to flow to the pirates' wallet. The situation was noticed only because the first (but not the last) time when ThePirateBay acted in this way, the miner consumed a large amount of user PC resources, because of which the processes were performed extremely slowly.