WordPress plugin hacked to mine cryptocurrency: government, ICO, NHS sites hit
US think-tank calls for IoT device design to be regulated
US think-tank calls for IoT device design to be regulated

WordPress plugin hacked to mine cryptocurrency: government, ICO, NHS sites hit

US and UK government websites have been hit by malware mining the cryptocurrency, Monero.

Government websites in the US and UK, including that of the UK Information Commissioner’s Office (ICO), have been hit by malware designed to mine cryptocurrency.

According to security researcher Scott Helme, the security breach resulted in over 4,000 sites serving up the malicious code.

Among those affected are the UK Student Loans Company (SLC), National Health Service (NHS) Scotland, and the Queensland government portal in Australia.

The compromised plugin is called Browsealoud, which helps visually impaired people to access text on websites. The malware uses a visitor’s own processor to mine for the Monero cryptocurrency.

Helme was made aware of the hack by fellow security specialist Ian Thornton-Trump, who discovered that the ICO’s website was hosting the malware.

Four-hour window of opportunity

Texthelp, the company that makes the plugin, reported that its product was infected for a period of four hours, according to a blog post by security firm Wordfence. Browsealoud was taken offline as soon as the problem was spotted.

In his own blog post, Helme said that the script for the Browsealoud plugin, ba.js, was altered to include the Coinhive cryptocurrency miner, which targets Monero.

“If you want to load a cryptominer on 1,000+ websites, you don’t attack 1,000+ websites, you attack the one website that they all load content from,” he said.

“In this case, it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”

Security testing

In a statement, Texthelp data security officer Martin McKay said, “Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.

“This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action. Texthelp can report that no customer data has been accessed or lost.”

He added that a security review would be conducted by a specialist independent consultancy. That investigation is still ongoing, and customers will receive an update when it has been completed.

Internet of Business says

As this ‘supply chain hack’ reveals, the downside of an interconnected world is that security problems can spread worldwide in seconds. This will be a major issue in the years ahead for the IoT, unless smart device manufacturers put enterprise-grade security programmes in place.