The UK’s data protection regulator was among several government organisations hit by crypto-mining hackers over the weekend, a security researcher has revealed.
Scott Helme identified a malicious script running on the Information Commissioner Office’s site after being tipped off by a friend whose anti-virus software flagged the code.
Sites run by the Student Loans Company, the Pensions Advisory Service and the General Medical Council were also among the thousands of sites compromised by the malware.
It is not known who deployed the script, but it has been traced back to a Texhelp plug-in called Browsealoud which lets blind and partially-sighted people access the web.
Texthelp confirmed that its plug-in had been compromised for four hours on Sunday. Helme told NS Tech that the affected organisations “got off lightly”.
“This could have been much worse,” he said. “It could have gone under the radar for weeks. I’m hoping people will take that seriously and realise we got off lightly.”
The malware did not seek to extract users’ personal information and the National Cyber Security Centre said in a statement that there is nothing to suggest the public is at risk.
Helme added that affected sites could have protected themselves from the hack by running two pieces of security technology. A content security policy and sub-resource integrity would have restricted who could run scripts on each site and what scripts they could run.
Crypto-mining scripts harness the power of users’ devices to generate cryptocurrencies. In this case, hackers had added a programme called Coinhive to the plug-in to mine for Monero. The ICO, Student Loans Company and other affected organisations temporarily took their sites down while the script was being removed.
Texthelp CTO Martin McKay said: “Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.
“Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.”
Christopher Littlejohns, EMEA manager at Synopsys said NHS and government websites were at risk of such attacks because they have high visitor numbers lack adequate protections.
“Whilst there will be an initiative to tackle such issues within the public sector, we should expect the criminals to target other high footfall sites or other delivery mechanisms to achieve their aims,” he added.