Cryptocurrency Malware Hits #UK, #US, Australian #Government Websites. A security researcher uncovered over 4,000 websites compromised by malware that mines for crypto currency. Websites affected include several government websites in the UK, US, and Australia.

cryto2

UK Government Websites, ICO Hijacked by Cryptocurrency Mining Malware

ZDNet | By Charlie Osborne

A number of government websites in the UK, US, and Australia, including the UK Information Commissioner’s Office (ICO), have been compromised by cryptojacking malware. According to security researcher Scott Helme, over 4,000 websites have been affected. The security consultant was made aware of the scheme after another security expert, Ian Thornton-Trump, pointed out that the ICO’s website had a cryptominer installed within the domain’s coding.

Helme confirmed the findings on Twitter, and upon further exploration, discovered that the mining code was present on all of the ICO’s web pages. It was not long before the researcher realized far more than the ICO had been compromised. Websites including the UK’s Student Loans Company (SLC), the UK National Health Service (NHS) Scotland, the Australian Queensland government portal, and US websites were also affected, such as uscourts.gov.

Cryptocurrency mining software is not illegal and some websites have begun tinkering with plugins that borrow visitor CPU power to mine virtual currency, potentially as an alternative for advertising. However, malware which installs such mining software without consent is fraudulent and can slow down visitor systems when legitimate websites are serving up mining scripts. The researcher traced the code found in the ICO website to a third-party plugin, Browsealoud, which is intended to assist visually impaired visitors to website domains. The plugin’s developers, Texthelp, confirmed that the plugin had been compromised to mine cryptocurrency.

In a blog post, the researcher said that the script for the Browsealoud plugin, ba.js, was altered to include the Coinhive cryptocurrency miner, which specializes in Monero.Any website using the plugin and loading the file would then unwittingly load the cryptocurrency miner with it. As a result, it is not the websites themselves that have been internally compromised, but rather a third-party service that was tampered with for the purpose of cryptojacking.

“If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the one website that they all load content from,” Helme noted. “In this case, it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”

A public search on PublicWWW revealed that up to 4,275 websites may have loaded the infected script and mined cryptocurrency by borrowing visitor processing power as a result.

At the time of writing, the Browsealoud website is not accessible.

Texthelp said no customer information has been exposed due to the security lapse, and “Browsealoud [was removed] from all our customer sites immediately, addressing the security risk without our customers having to take any action.”

The exploit was active for roughly four hours on Sunday.

Texthelp intends to keep the plugin offline until 12.00pm GMT on Tuesday to “allow time for Texthelp customers to learn about the issue and the company’s response plan.”

Helme says that this attack vector is nothing new, but it would have taken a simple tweak to the loading script to prevent it happening in the first place. By altering the standard coding to load a .js file to include the SRI Integrity Attribute, which allows a browser to determine whether or not a file had been modified, the entire campaign could have been “completely neutralized.”

“In short, this could have been totally avoided by all of those involved even though the file was modified by hackers,” the researcher says. “I guess, all in all, we really shouldn’t be seeing events like this happen on this scale to such prominent sites.”

At the time of writing, the ICO website is not available.

On Sunday, the UK National Cyber Security Center (NCSC), part of the GCHQ intelligence agency, said that there is “nothing to suggest that members of the public are at risk.”

“NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency,” an NCSC spokesperson said. “The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.”

Ransomware Posing as Flash Player Download A new strain of ransomware hit organizations throughout Eastern Europe earlier this week. Spread through compromised websites, the Bad Rabbit ransomware poses as an Adobe Flash Player download, and after infecting one machine, can quickly spread through an organization’s network without being detected.

imagesRHVA6HVG

The Latest Ransomware Presents Itself as an Adobe Flash Player Download

Nextgov | By Keith Collins |

A new strain of ransom ware, called Bad Rabbit, began hitting organizations throughout Russia and Eastern Europe on Wednesday (Oct. 25). The malware is being spread through compromised websites, presenting itself as an Adobe Flash Player download.

“When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file,” according to a blog post by Talos, Cisco’s threat intelligence team.

Once infected with the ransom ware, victims are directed to a web page on the dark web, which demands they pay 0.05 bit coin (roughly $285 USD) to get their files back.

After one computer on a network is infected, Bad Rabbit can quickly and covertly spread through an organization without being detected. Although the ransom ware has been detected in several countries, it appears to be concentrated in organizations in Russia and Ukraine, particularly media outlets.

Third Largest County in U.S. Almost Lost $888K in Phishing Attack

Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.

Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”

The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.

Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.

Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.

Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.

“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”

Shark said local governments are particularly vulnerable after disasters.

Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.

“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”

He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.

An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.

Rosen said he had never investigated such an incident before.

“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”

The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.

Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.

“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”

He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.

Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.

Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.

Some say the changes so far do not go far enough.

Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.

On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.

Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.

“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”