Once Again, it’s Cryptomining Supply Chain Attack
Security researcher Scott Helme discovered a third party accessibility plugin called ‘Browsealoud’. In the past 24 hours, it was found that several browsers were compromised. The plugin hides on the website, as it relies on the JavaScript to work. Now, this has caused nearly 4000 websites to facilitate itself as crypto mining malware.
The malware uses the CPU of the users to mine cryptocurrency using Monero. The Browsealoud was found on Government websites like UK Information Commissioner’s office, Australian provincial government website and UK National Health Services and more.
The company that made Browseloud plugin is ‘Texthelp’. The company in a statement said that their product was infected for 4-hours, and thus causing websites to allow the code to be parked in the website. The plugin was immediately made offline and investigation pressed into.
Cryptomining Attacks on the Rise
The WordPress plugin was barred from including crypto mining code, especially the cognitive code that uses Monero currency. This way any user who visited such website will see their browser CPU resources used to mine Monero, and the proceeds will be sent to the plugin owner. Scott reports that this campaign also used CoinHive code to mine Monero and send the proceeds back to the attacker.
Supply Chain Attacks Have Wide Impact
Dan Moen wrote about the emerging threat of supply chain attacks. He had mentioned how in “light of the rise in supply chain attacks we saw in 2017 targeting WordPress, it is quite likely that 2018 is going to see a large number of these kinds of attacks affecting site owners and we had better get the word out, which we did. In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers.”. In that post, we were focused on discussing the risk of compromised plugins affecting thousands of WordPress sites.”
This is the kind of supply chain attack that affects the “trusted relationship between vendors and their customers”. You trust a service and give Javascript as part of website security. If that service is compromised, it affects any website that uses that service. Same is the case with WordPress plugins; Javascript allows a malicious code to compromise thousands of websites with a single hack.
In the case of Browsealoud, the incident is much worse. The attacker stole credentials from government websites from different countries. They exploited the CPU resources of site visitors to mine Monero cryptocurrency.
Javascript Supply Chain Attacks and its happening
The difference in JavaScript supply chain attack from others is that the moment attacker installs the malicious code the victims instantly gets affected. The code is being loaded per visit from the compromised server and no action is required by the site administrator or site visitors. The moment a code change is made, it is active in victim browsers.
This is different from application supply chain attacks or WordPress plugin supply chain attacks. An application supply chain attack needs a compromised application to be distributed before it exploits users. Desktop or mobile users need to upgrade to the new version before they are affected. Even if an auto-update is pushed out by the attacker somehow, there will be some delay before it is effective.
In WordPress plugin supply chain attack needs site owners to update to the new compromised plugin version before it is active. Javascript supply chain attacks are instantly active and being loaded by site visitors as soon as the attacker saves the file to the distribution web server. That is why it is critically important to use SRI for all external scripts on your site.
The write-up as sourced from wordfence.com makes a request to spread the word about the risk of Javascript supply chain attacks and how to be secured from them using Subresource Integrity.