Gov sites caught in cryptojack
Australian government websites have been covertly used to mine for cryptocurrencies.
A series of sites have been the victims of a kind of cyber-attack known as ‘cryptojacking’, in which malware is implanted to force visitors’ computers to secretly mine cryptocurrency.
Government websites were infected with the malware after a third-party browser plug-in was compromised.
The global attack hit thousands of sites, including the UK’s National Health Service, and the UK’s own data protection watchdog.
In Australia, the official website of the Victorian parliament, the Queensland Civil and Administrative Tribunal, the Queensland ombudsman, the Queensland Community Legal Centre homepage, and the Queensland legislation website (which lists all of the state’s acts and bills) were hit.
Victoria’s City of Casey council, Western Australia’s City of Bayswater council, South Australia’s City of Unley council, and the office of the Queensland Public Guardian were among those affected too.
The attack was made through a vulnerability in the popular browser plug-in Browsealoud - which converts text to audio for visually impaired web users.
The makers of Browsealoud, Texthelp, have confirmed that hackers inserted a script known as Coinhive into their software, allowing them to hijack the processing power of a user’s computer to mine the cryptocurrency Monero.
Texthelp took the Browsealoud plugin offline after the issue was uncovered, preventing new visitors to the affected sites from being loaded with the cryptojacking script.
Scott Helme, the security researcher who discovered the malware, says government websites should have been more vigilant.
“When you load software like this from a third party, that third party can change it and make it do whatever they want,” he said.
“There are easy ways to make sure they don’t do that.
“We don’t know how Texthelp were compromised yet, so it is hard to say whether they were really unlucky or there was some kind of inherent problem with what they were doing.
“But there were ways the government sites could have protected themselves from this. It may have been difficult for a small website, but I would have thought on a government website we should have expected these defence mechanisms to be in place.”
Texthelp says an investigation is under way.
“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers’ CPUs to attempt to generate cryptocurrency,” the company said.
“The exploit was active for a period of four hours on Sunday. The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12.00 GMT.”