HACKERS HAVE HIJACKED various government-run websites with Coinhive's notorious Monero miner, which steals visitors' processing power to mine cryptocurrency.
Thousands of websites have been infected by the 'cryptojacking' malware, including the UK's Information Commissioner's Office, Student Loan Company and the Scottish NHS Helpline. In the US, the Indiana government and the US courts system were also discovered to be running the Monero-mining script.
The ICO's website has been taken offline by its administrators as they attempt to fix the problem, and is still unavailable at the time of writing.
As discovered by security researcher Scott Helme, the infection came through a third-party plugin called Browsealoud, developed by Texthelp, which aims to help those with impaired vision use the web.
On Sunday, as-yet-unidentified hackers corrupted the plugin, which meant users running Browsealoud who visited ico.org.uk, for example, would see their computer's CPU usage spike up while involuntarily making money for someone else.
ba.js had been altered to include a
document.write call that added a CoinHive crypto miner to any page it was loaded in to," Helme said in a blog post.
"This is a pretty bad situation to be in and any site that loads that file will now have the crypto miner installed. The sheer number of sites affected by this is huge and some of them are really prominent government websites."
Texthelp said in a statement that the compromised plugin has been taken offline, adding that a "thorough investigation" is underway.
"Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday."
The UK's National Cyber Security Centre (NCSC) has spoken out, saying that "Government websites continue to operate securely and "there is nothing to suggest that members of the public are at risk." µ
We'll soon have EUV to thank for smaller chips and better phones
Just two years after he co-founded the non-profit AI safety group
Firm claims devices will allow 'untethered VR from anywhere in the world'
The file-sharing web and desktop clients could have shared a little too much