UK government sites infected with a cryptominer
twitter.comThe use of 3rd Party JavaScript is endemic in websites these days, so not a big surprise that attackers are targeting them, given they've got an application (cryptomining) that can generate a revenue stream.
Unfortunately a lot of companies don't really seem to realise that when they include 3rd party JS they're implicitly trusting the security of that third party. I'd imagine many don't do much in the way of due diligence before including the scripts.
As mentioned in Scott's related blog post (https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...) SRI is a decent at least partial defence against this kind of thing, but unfortunately it hasn't (in my experience) seem much in the way of takeup as yet.
Related tweet https://twitter.com/fransrosen/status/962709013329670145
"Same attack as described here: https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s... … it's scripts hosted in a S3-bucket without proper access controls"
Edit. Also see https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...
Are these miners effective enough? I guess, at scale they should have some value but my initial gut feeling would lead me to believe that even a huge botnet can hardly compete with dedicated hardware.
Some cryptocurrency algorithms are designed to be less amenable to acceleration with special hardware, so that CPU mining remains effective. Monero, the one involved in this case, appears to be one such.
They are effective enough at creating a poor user experience, eating all the users CPU without their permission in exchange for government provided text and wasting energy.
Whoever setting a cryptominer like that doesn't have to pay dedicated hardware or the electric bill, and as you know nothing can beat gratis-free.