Weekly podcast: Browsealoud cryptojacking, Bee Token phishing and Olympic attacks

This week, we discuss the use of cryptocurrency mining software on numerous government websites, a phishing scam that robbed Bee Token investors of $1 million and cyber attacks on the Pyeongchang Winter Olympics

Hello and welcome to the IT Governance podcast for Friday, 16 February 2018 – and thanks to Camden for reading last week’s one while I was away. Here are this week’s stories.

I mentioned cyber criminals’ increasing use of cryptocurrency mining or ‘cryptomining’ software a couple of weeks ago. If you weren’t listening, it seems that rather than dropping ransomware on victims’ machines and hoping they pay to regain access to their files, cyber criminals are increasingly cutting out the middle man and infecting victims’ machines with software that uses their spare processing power to mine for cryptocurrency – essentially a practice that entails running complex calculations in return for payments.

It’s worth saying that there’s nothing wrong with cryptomining per se – it’s how new currency is brought into circulation. However, using others’ machines to mine for cryptocurrency without their knowledge indubitably constitutes malicious and illegal activity. Some call it cryptojacking.

All of this brings us to this week, when it emerged that thousands of government and public bodies’ websites were unwittingly running cryptomining software after a third-party plug-in’s JavaScript library was compromised.

According to security researcher Scott Helme, who broke the story, a plug-in called Browsealoud, which helps blind and partially sighted people access the web, was compromised at the weekend and one of its hosted JavaScript files changed to add the Coinhive cryptominer to any page it was loaded to. Anyone who visited a website with the Browsealoud library embedded will have run the software on their computers, helping attackers mine for Monero.

About 4,300 sites around the world were affected – including the Information Commissioner’s Office, the Student Loans Company, the General Medical Council, the Financial Ombudsman’s Service, and numerous .gov.uk and NHS sites in the UK. Browsealoud was taken offline shortly after the compromise.

Martin McKay, the CTO and data security officer of Browsealoud’s parent company Texthelp, said: “In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

The National Cyber Security Centre has issued guidance for members of the public, website admins and JavaScript developers.

Talking of cryptocurrencies, a scammer has stolen over $1 million worth of Ethereum from participants in the initial coin offering (ICO) from Bee Token – a blockchain-based home-sharing network.

Bleepingcomputer reports that the start-up launched its ICO on 31 January and ended it on 2 February, having raised $5 million. During this time, however, an attacker posing as the Bee Token team was sending phishing emails, “urging users who wanted to buy Bee Tokens to send Ethereum to wallets under his control”.

The Bee Token team “sent out three security alerts [1, 2, 3]” when it became aware of the issue and “created a Google Form to allow users to report scams”, but “people kept falling for the fake emails”.

According to ZDNet, Bee Token said:

“There was unauthorized access to one of Bee Token’s third-party vendors (which we have since terminated usage). The data that was potentially accessed includes email addresses, first names, and last names only, and this impacted [less than] 1 percent of our email list.

“We have no evidence that Bee Token itself was compromised by this event. We have not identified any malicious activity in our database”.

You can find out more about phishing on our website >>

At the weekend, the organisers of the Winter Olympics in Pyeongchang confirmed that they’re investigating a cyber attack that took the games’ official website offline shortly before the opening ceremony began. Television and computer systems at Pyeongchang were also disrupted, and normal services resumed only 12 hours later.

Pyeongchang 2018 spokesperson Sung Baik-you said: “There was a cyber-attack and the server was updated yesterday during the day and we have the cause of the problem.

“They know what happened and this is a usual thing during the Olympic Games. We are not going to reveal the source.

“We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with.

“We wouldn’t start giving you the details of an investigation before it is coming to an end, particularly if it was on security which, at these games, is incredibly important.”

Cisco’s Talos Intelligence Team, which discovered the malware, analysed the samples used in the attack and concluded that it aimed to cause disruption, not exfiltrate data. Talos dubbed the malware ‘Olympic Destroyer’ and said that it shared characteristics with the Bad Rabbit and NotPetya malware used last year – which Ukraine blamed on Russia.

The Russian foreign ministry has denied involvement, however, saying: “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea.

“Of course, no evidence will be presented to the world.”

Coincidentally, the Russian Olympic Committee was banned from the Pyeongchang games by an International Olympic Committee eligibility panel following widespread doping at the Sochi games in 2014. Nevertheless, 168 Russian athletes are competing at Pyeongchang, albeit under the designation ‘Olympic Athlete of Russia’ and a neutral flag rather than the Russian one.

That’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.