A rapidly-expanding operation to mine Monero, a popular cryptocurrency, targeted over 5,000 websites in the UK, forcing government agencies to take urgent measures to prevent consumers from being affected.
The operation to mine Monero also affected the Information Commissioner’s Office’s website which had to be taken down to deal with the threat.
The operation to secretly mine Monero began after hackers managed to infect BrowseAloud, a widely-used plug-in that enabled visually-impaired and blind users to access websites, with a script that covertly mines cryptocurrency using the processing power of users’ devices.
Using BrowseAloud, hackers behind the operation infected as many as 5,000 websites, including websites belonging to the Student Loans Company, several NHS services, and local councils. This meant that the operation, if undetected, could victimise hundreds of thousands, perhaps millions, of citizens who visited such websites frequently. The mining operation also targeted the website of the Information Commissioner’s Office which was subsequently taken down.
Yesterday, a spokesperson for the National Cyber Security Centre admitted the existence of the operation and confirmed that the affected websites were taken down to mitigate the threat.
‘NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency. The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk,’ the spokesperson said.
This isn’t the first time that covert attempts to mine cryptocurrency using the processing power of users’ devices have been discovered. Last year, Lazarus Group, the infamous and feared North Korean hacker group, used a spearphishing campaign to mine Bitcoins. The group sent phishing e-mails to employees at several cryptocurrency firms about a vacant CFO position at a leading London-based cryptocurrency firm. The attachments in those e-mails contained first-stage Remote Access Trojans (RATs) which helped the hackers steal Bitcoins from victims’ systems.
In January, researchers at threat intelligence firm Alien Vault also discovered a cryptocurrency mining software that covertly mined Monero and sent them to a server owned by Kim Il Sung University in North Korea.
According to the researchers, cyber criminals behind the operation downloaded a file named intelservice.exe into victims’ devices. This file was known to be associated with previous cryptocurrency mining operations and was part of a software called xmrig which was used to conduct malware campaigns in the past.
‘It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining. On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software,’ they noted.