Over the weekend, an attacker targeted the Browsealoud product, an accessibility tool that websites use to make it easier for people who are blind, dyslexic or otherwise have trouble reading text on websites, to consume content. They inserted malicious code into a JavaScript library, which Browsealoud calls whenever it runs on a customer’s website, that steals computing cycles from the machines of people visiting the infected websites.
That gave them access to a back door that led into more than 4,000 websites across the world. People visiting those websites, then, likely found their computers slowing down as the code used their processors to “mine” a cryptocurrency called Monero on behalf of the hacker. The jacking was accomplished through software called Coinhive.
According to a statement from Texthelp, the company behind Browsealoud, the cryptojacking scheme only lasted about four hours. Scott Helme, a security researcher in the United Kingdom who appears to have been the first person to publicize news of the attack, said it doesn’t look like the code did anything aside from the cryptomining.
“The attackers only changed code belonging to Texthelp so once Texthelp had removed it, everything went back to normal,” Helme wrote in an email.
Many state and local governments in the U.S. ran the infected JavaScript library, including:
- Indiana's state website, as well as its Medicaid portal
- The Cook County, Ill., treasurer’s website, as well as its property tax portal
- The Washington Metropolitan Area Transit Authority
- Corpus Christi, Texas
- Frederick County, Md.
- The Massachusetts municipalities of Andover, Westford, Framingham and Belmont, as well as Andover Public Schools
- The Forest Preserve District of DuPage County, Ill.
- Russell Library in Middletown, Conn., and Fort Vancouver Regional Library in Washington state
- Saline Area Schools in Michigan
- The city of Alameda, Calif.
But the implications of the attack’s success are much bigger.
Third-Party Code Could be a Huge Problem for Government
The problem, in this case, was that the attacker only had to target one product in order to infiltrate every website that used it.An even larger issue is that lots and lots of government websites run third-party code like Browsealoud.
“I would say (third-party code) is rampant,” said Mike Roling, chief information security officer for the state of Missouri. “If you look at WordPress and Drupal websites, I would say a majority of government websites are built on those content management system platforms. The plugins or modules, they are third-party for the most part.”
That code has, for a long time, been one of the weakest points of defense for government websites. And it’s not just vulnerable to cryptojacking — it could be used to target website visitors in a number of ways.
“It could have been much worse,” Roling said. “They could have deployed a Web exploit kit that identifies holes in user’s browsers and then they can deploy malicious code through a vulnerability within Internet Explorer or Flash, Java, whatever it might be, in a back door in hundreds if not thousands of users’ machines.”
It’s not so much an avenue of stealing data the government is storing, but it could be used to steal data from the people visiting government websites. Effectively, it can turn a website meant to help constituents into one that harms them.
In a blog post, Helme illustrated a modification to the code in question that would have prevented the sites from loading the malicious script: a subresource integrity, or SRI, attribute. It effectively acts as a gatekeeper, preventing the script from running if it’s been modified.
Roling agreed that that might be an effective solution, but there are a couple problems with it. One is that SRI might not be supported on all users’ Internet browsers. Another is a simple workflow issue — even a legitimate modification coming from the company that makes a plugin could trip the SRI and prevent the script from loading.
“It’s a good idea, but I don’t know if it’s manageable, because any time Texthelp rolls out new capabilities for their browser-allowed service, you’re going to have to update the hash,” Roling said.
There are some more general ways for governments to protect their websites.
“To reduce your overall risk of an attack like this, obviously ensuring that your software is up to date, your content management system that powers your website … needs to be maintained continuously, and that goes for all the various third-party plugins,” he said.
Mike Krygier, deputy chief information security officer for New York City Cyber Command, recommended 24/7 vulnerability scans of websites, as well as keeping tabs on third parties.
"Governments should conduct frequent reviews of their third-party providers, especially those that supply components integrated into public-facing websites and key applications," Krygier wrote in an email.
The Threat of Cryptojacking
Using third-party code to infiltrate websites isn’t new. But cryptojacking is.Cryptocurrency, currency that exists online and which many people are now willing to swap with government-backed money, has become very popular and very profitable in recent years. Hackers pulling off ransomware attacks often demand their payments in bitcoin, and price fluctuations in that particular cryptocurrency has given rise to a speculation industry.
So now, since about the latter half of 2017, Roling says more hackers appear to be infiltrating systems to get their hands on cryptocurrency instead of other malicious attacks.
“What motivates attackers, the bottom line is money,” Roling said. “So they’re shifting more into this cryptomining JavaScript rather than … other attacks.”
It basically means stealing resources from the user’s machine, whether that’s a computer, tablet, smartphone or some other Internet-connected device.
“I’ve read some situations where it will tie up the machine and it’s not really usable until you kill the browser’s process,” he said.
And the confounding detail of this particular type of attack is that it’s very hard for the person running the website to know it’s even happening.
“There would be no easy way for that website owner to know about it, just because they’re not even going to be seeing this traffic themselves, because that [app] is being hosted by a third party,” Roling said.
So, the only way for the person who owns the infected website to know what’s happening is if they have an end-user’s view.
And there's reason to believe the problem will grow. After all, cryptocurrency mining is about how much processing power each miner has. Highjacking other people's machines gives users a competitive advantage.
"Government and industry will have to continue to think about how to deal with the theft of computing resources to mine cryptocurrency and the burgeoning demand for mining capacity by cybercriminals and others," Krygier wrote.