February 27, 2018

Who’s mining their coin in your customer’s browser?

Timo Ahomäki

Head of Portfolio Development, Tieto Security Services

Do you know what JavaScript supply chain attacks are? Read how to protect yourself against them.

The increasing interest in cryptocurrencies as investment instruments has not gone amiss with cyber criminals. They have always been interested in monetisation potential of cryptocurrencies beyond just being a payment instrument in extortion schemes. Rapidly challenging ransomware as the most prolific type of malware, cryptocurrency miners are all over the news. Being in many ways similar to “traditional” types of malware, methods of defence against the traditional kind closely mirror those we are already used to.

JavaScript mining scripts, however, are a different beast altogether. Running in end-user browsers, they have the capability to evade many basic endpoint protection solutions. Additionally, since many of these scripts may well be deployed by legitimate owners of websites – an altogether different ethical discussion – a wholesale blocking approach is not a realistic solution.

On the 11th of February 2018, security researcher Scott Helme alerted the world that the website of Information Commissioner’s Office (ICO), the UK privacy regulator, was infected with illegit javascript mining Monero – a “lightweight” cryptocurrency token. Upon investigation, it quickly became apparent that it was not the ICO website itself that had been compromised, but rather a 3rd party javascript library linked from the ICO site, as well as from over 4000 other sites, including many belonging to the UK government.

The JavaScript supply chain

With today’s complex, dynamic web sites, no site developer writes all the code of their service by themselves. Instead, the pages are built from dozens of components and libraries linked from all over the Internet. The benefits of linking the libraries – as opposed to copying – are many, including significant performance and bandwidth cost benefits when using a Content Delivery Network (CDN) to serve these components from the network edge.

There is a downside, however. Browsers typically accept the linked libraries as-is. Meaning that whatever code is served by the CDN is executed in the browser, no questions asked. In the case of ICO, it was an external JavaScript library to aid site accessibility that was compromised, to further link to an as such “legal” cryptocurrency mining script from Coinhive.

The nasty aspect of this is that without the proper precautions in place, there is no easy way for the site owner to detect this type of a problem. The offending script never touches the servers of the site owner. Protection therefore has to be deployed at the end-user’s browser - a daunting task, by initial reconing.

How to protect against JavaScript supply chain attacks

Now for the good news: there are solutions, and they are part of standard functionality of all modern web browsers. The downside is that it requires some work beyond just installing protective software. The two readily available solutions against this type of an attack are called SubResource Integrity (SRI) and Content Security Policies (CSP).

SRI, the more complete solution, works on the basis of pre-computed unique signatures for each linked resource. The browser then compares these signatures with the actual resource served from CDN. If there is a mismatch, the browser refuses to render the offending resource. While highly effective against most supply chain type attacks, SRI assumes the resources to be immutable; every time a resource is updated to a new version, the signature has to be updated too.

While completely manageable using automated deployment systems, this model does not retrofit easily to many existing websites. For these, CSP offers a more flexible and only marginally less secure option. The way CSP works against this type of an attack, is it pre-defines all allowed origins for linked resources. If a compromised legitimate library attempts to load an additional resource, such as a mining script, this creates a mismatch and the resource again gets rejected by the browser.

CSP also protects against many other types of web-borne threats, so any site administrator should seriously consider adding it to their bag of tricks to protect the user experience.

JavaScript supply chain attacks, while not exactly new, are a good example of how the very fabric of modern web can be used against its users. With cryptocurrency mining scripts now firmly in the mainstream, it is time for site administrators to have another look at the basic hygiene of how they use external resources to enhance the user experience. Or else risk that experience turning into a painful slog, with the browsers of their users busily mining other people’s coin.

Looking to secure your web applications? Download our practical guide to get insight about best practices.

Stay up-to-date

Get all the latest blogs sent you now!