- Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
- Security Affairs newsletter Round 149 – News of the week
- Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild
- FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
Posted: 11 Feb 2018 02:46 PM PST
Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.
A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.
The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.
Once discovered the hack some sites web down, the ICO also took its website down.
The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.
In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.
The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.
The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.
“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.” said Helme.
“Someone just messaged me to say their local government website in Australia is using the software as well.”
The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.
Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.
"In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away," said Texthelp’s chief technology officer Martin McKay in a statement.
"Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline."
Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”
The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.
(Security Affairs – Browsealoud plugin, cryptocurrency mining script)
The post Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack appeared first on Security Affairs.
Posted: 11 Feb 2018 06:42 AM PST
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Once again thank you!
The post Security Affairs newsletter Round 149 – News of the week appeared first on Security Affairs.
Posted: 11 Feb 2018 01:57 AM PST
Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild and a Proof-of-concept exploit code is available online.
This week, Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.
This is the second the tech giant issued a security patch to fix the critical vulnerability in CISCO ASA, the first one released in January. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.
The affected models are:
Now the company confirmed that attackers are trying to exploit the vulnerability CVE-2018-0101 in attacks in the wild.
"The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory," reads the security advisory published by CISCO. the update states. "Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory."
The vulnerability was discovered by Cedric Halbronn and received a CVSS base score of 10.0, the highest one.
This week Halbronn presented its findings at the REcon conference in Brussels, in its speech titled ‘Robin Hood vs CISCO ASA Anyconnect.’ he highlighted that the vulnerability could be present up to seven years old because the AnyConnect Host Scan is available since 2011.
The new attack scenario covered with the new update sees an attacker exploiting the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.
A “Cisco ASA CVE-2018-0101 Crash PoC” was already published by some users on Pastebin.
(Security Affairs – CISCO ASA, CVE-2018-0101)
The post Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild appeared first on Security Affairs.
Posted: 11 Feb 2018 01:05 AM PST
Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.
The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.
In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.
This week, security experts at Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.
“Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.
The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.
“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”
A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.
While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”
The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.
The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.
The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.
“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.
“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”
(Security Affairs – Russian Federation Nuclear Center facility, Mining)
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|