Hackers infect government websites to mine Bitcoin rival - UPDATED

ICO website taken down after it was found to have been breached, and infecting visitors' computers with malware

UPDATE:

The ICO's website is now up and running again following its malware infection by the Browsaloud plug-in. It has issued the following statement:

"The ICO's website is up and running again following a problem with the Browsealoud feature on Sunday.

"The website was taken down as a precautionary measure whilst we investigated the incident, which did not involve the access or loss of any personal data.

"The Browsealoud service has been temporarily removed from the website whilst further work is undertaken."

A spokesperson for the National Cyber Security Centre added:

"NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.

"The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.

"At this stage there is nothing to suggest that members of the public are at risk."

ORIGINAL STORY CONTINUES BELOW:

Hackers have managed to infect various government-run websites including that of the Information Commissioner's Office (ICO), aiming to use them to infect visitors' computers.

Their aim is thought to be to take control of unsuspecting users' machines and use them to mine Monero, a crypto-currency and rival to Bitcoin.

The ICO's website has been taken offline by its administrators as they attempt to fix the problem, and is still unavailable at the time of writing.

Security researcher Scott Helme traced the issue to a browser plug-in called Browsealoud, a service which aims to help those with impaired vision use the web.

He explained on his blog that it's far easier for hackers to compromise a plug-in used by lots of sites, than to attack them all directly.

"If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider [found on Browsaloud], had been compromised and one of their hosted script files changed."

He added that a file had been edited to include a write instruction which added the malware, which was then active on every site using the service.

"The ba.js had been altered to include a document.write call that added a CoinHive crypto miner to any page it was loaded in to. This is a pretty bad situation to be in and any site that loads that file will now have the crypto miner installed. The sheer number of sites affected by this is huge and some of them are really prominent government websites!"

However, what's especially embarrassing for the ICO, the UK's body set up to uphold, publicise and enforce data protection legislation, is that this form of attack can be fairly easily thwarted, as Helme explained.

"This is not a particularly new attack and we've known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there's a pretty easy way to defend yourself against this attack. Let's take the ICO as an example, they load the affected file like this:

 < script src="//www.browsealoud.com/plus/scripts/ba.js" type="text/javascript"> < /script>

"That's a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner... Want to know how you can easily stop this attack?

 < script src="//www.browsealoud.com/plus/scripts/ba.js" integrity="sha256-Abhisa/nS9WMne/YX+dqiFINl+JiE15MCWvASJvVtIk=" crossorigin="anonymous"> < /script>

"That's it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page.

"I guess, all in all, we really shouldn't be seeing events like this happen on this scale to such prominent sites," he concluded.

"The ICO's website is up and running again following a problem with the Browsealoud feature on Sunday.

"The website was taken down as a precautionary measure whilst we investigated the incident, which did not involve the access or loss of any personal data.

"The Browsealoud service has been temporarily removed from the website whilst further work is undertaken."