4,200+ websites, including USCourts.gov, UK's NHS services, other government sites were infected with cryptocurrency mining malware via hacked plugin
Biz scrambles to shut down crafty coin crafting operation — Thousands of websites around the world - from the UK's NHS and ICO …
The Register Chris Williams
Related Coverage
- Data security investigation underway at Texthelp Texthelp
- View article eWeek
- Protect your site from Cryptojacking with CSP + SRI Scott Helme
- Government websites hit by cryptocurrency mining malware The Guardian · Patrick Greenfield
- View article Axios
- Cryptomining script poisons government websites - What to do Naked Security · Paul Ducklin
- View article NCSC Site
- View article Motherboard
- Thousands of government, orgs' websites found serving crypto mining script Help Net Security · Zeljka Zorz
- View article TechSpot
- UK government websites, ICO hijacked by cryptocurrency mining malware ZDNet · Charlie Osborne
- Hackers used Australian government websites to mine cryptocurrency, security researcher says ABC · Ariel Bogle
- View article SecurityWeek
- View article ValueWalk
- Government sites in US, UK and Australia found to be serving up cryptomining scripts SiliconANGLE · Duncan Riley
- Government websites hijacked by cryptocurrency-mining malware CNET · Katie Collins
- Cryptojackers Strike Again, Hitting Thousands of Sites Including US and UK Government Pages Gizmodo · Tom McKay
- The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries Troy Hunt
- View article DataBreaches.net
- Cryptojacking attack hits ~4,000 websites, including UK's data watchdog TechCrunch · Natasha Lomas
- Government websites in US, UK and Australia hacked to run secret cryptocurrency miner BetaNews · Mark Wycislik-Wilson
- UK, Australian Government Websites Cryptojacked by Mining Malware NewsBTC · Martin J. Young
- UK Government Websites Hit By Crypto Mining Malware CoinDesk · Wolfie Zhao
- How the U.S. Courts Website Unwittingly Became a Cryptocurrency Miner Fortune · David Meyer
- Thousands of websites hit by cryptocurrency mining malware Neowin · Gabriel Nunes
- UK and US government websites hit by cryptocurrency-mining malware Silicon Republic · Ellen Tannam
- Hackers hijack gov-run websites to mine Monero cryptocurrency Inquirer · Carly Page
- Government Websites Attacked by Mining Malware Bitcoinist.com · James Levenson
- Hackers hijack government websites to mine crypto-cash BBC
- Government websites have quietly been running cryptocoin mining scripts The Next Web · Matthew Hughes
- Cryptojacking attack hits Australian government websites The Guardian · Naaman Zhou
- US, UK government websites infected by cryptomining malware SlashGear · JC Torres
- Hackers hijack UK websites to secretly mine cryptocurrency UKTN · Yessi Bello Perez
- What is cryptojacking? Cryptocurrency mining malware hits thousands of US and UK government websites International Business Times · Kukil Bora
- Mining Malware Tsunami Continues: ‘5000’ High-Profile UK Websites Hit By Tainted Plugin Cointelegraph.com News · William Suberg
- Cryptomining Supply Chain Attack Hits Government Websites Wordfence · Mark Maunder
- U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked BleepingComputer.com · Lawrence Abrams
- Text-to-speech service spreads cryptomining code far and wide bit-tech.net · Gareth Halfacree
- Cryptocurrency-mining malware spotted on more than 4200 sites including UK, US, and Australian government sites Boing Boing · Cory Doctorow
- Government websites fall prey to cryptocurrency mining hijack Engadget · Jon Fingas
- U.S., UK government websites infected with crypto-mining malware: report Reuters
Discussion
-
@zittrain
Jonathan Zittrain
on x
You'd think you could trust the web site of, say, the U.S. court system. But it and thousands of other sites have been infected by drawing from third-party libraries on the fly — ready to use visitors' PC power to mine cryptocurrency: http://scotthelme.co.uk/... @scott_helme
-
@troyhunt
Troy Hunt
on x
Statement from @texthelp on the compromise of their script (which was then embedded into a heap of other sites) http://www.texthelp.com/...
-
@mor10
Morten Rand-Hendriksen
on x
Two immediate thoughts: 1. Site owners + devs have a duty of care to end-users to protect from or clearly disclosing cryptocurrency mining scripts. 2. The service at the heart of all this needs #ethics review + independent audit. http://scotthelme.co.uk/... @scott_helme
-
@hrbrmstr
@hrbrmstr
on x
Why pwn thousands of sites directly when you can pwn the JS CDN they rely on? // Protect your site from Cryptojacking with CSP + SRI http://scotthelme.co.uk/...
-
@scott_helme
Scott Helme
on x
I've written up the story surrounding the cryptojacking problems we've seen hit thousands of sites today: http://scotthelme.co.uk/...
-
@scott_helme
Scott Helme
on x
The script tags on http://scotthelme.co.uk/, http://report-uri.com/ and http://securityheaders.io/ all have the integrity attribute on them. You don't want your CDN to be able to compromise you like this. Go and enable SRI and enforce it with CSP. http://scotthelme.co.uk/...
-
@troyhunt
Troy Hunt
on x
Gov website crypto miner issue was supply chain compromise. Lack of web security fundamentals (SRI & CSP) made it possible. Was literally “let an external partner run anything on our site & don't tell us when it goes wrong”. Here's @Scott_Helme's writeup: http://scotthelme.co.uk/…
-
@scott_helme
Scott Helme
on x
Here's a list of 4,275 sites that are most likely *all* victims: https://publicwww.com/... ealoud.com%2Fplus%2Fscripts%2Fba.js/ ... These sites have neglected to deploy SRI and CSP, which would have completely mitigated this attack.
-
@charlesarthur
Charles Arthur
on x
Holy heck this thread. Javascript cryptominers all over the shop. http://twitter.com/...
-
@scott_helme
Scott Helme
on x
Let's also clear something else up: As terrible as it is that a crypto miner was injected into all of these sites, in reality, this could have been catastrophically worse. Key loggers, malware, DDoS scripts, BeEF hooks, or, all of the above and more...