Once Again, it’s Cryptomining Supply Chain Attack
The malware uses the CPU of the users to mine cryptocurrency using Monero. The Browsealoud was found on Government websites like UK Information Commissioner’s office, Australian provincial government website and UK National Health Services and more.
The company that made Browseloud plugin is ‘Texthelp’. The company in a statement said that their product was infected for 4-hours, and thus causing websites to allow the code to be parked in the website. The plugin was immediately made offline and investigation pressed into.
Cryptomining Attacks on the Rise
The WordPress plugin was barred from including crypto mining code, especially the cognitive code that uses Monero currency. This way any user who visited such website will see their browser CPU resources used to mine Monero, and the proceeds will be sent to the plugin owner. Scott reports that this campaign also used CoinHive code to mine Monero and send the proceeds back to the attacker.
Supply Chain Attacks Have Wide Impact
Dan Moen wrote about the emerging threat of supply chain attacks. He had mentioned how in “light of the rise in supply chain attacks we saw in 2017 targeting WordPress, it is quite likely that 2018 is going to see a large number of these kinds of attacks affecting site owners and we had better get the word out, which we did. In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers.”. In that post, we were focused on discussing the risk of compromised plugins affecting thousands of WordPress sites.”
In the case of Browsealoud, the incident is much worse. The attacker stole credentials from government websites from different countries. They exploited the CPU resources of site visitors to mine Monero cryptocurrency.
This is different from application supply chain attacks or WordPress plugin supply chain attacks. An application supply chain attack needs a compromised application to be distributed before it exploits users. Desktop or mobile users need to upgrade to the new version before they are affected. Even if an auto-update is pushed out by the attacker somehow, there will be some delay before it is effective.