
UK government sites infected with a cryptominer - flother
https://twitter.com/Scott_Helme/status/962684239975272450
======
raesene9
The use of 3rd Party JavaScript is endemic in websites these days, so not a
big surprise that attackers are targeting them, given they've got an
application (cryptomining) that can generate a revenue stream.

Unfortunately a lot of companies don't really seem to realise that when they
include 3rd party JS they're implicitly trusting the security of that third
party. I'd imagine many don't do much in the way of due diligence before
including the scripts.

As mentioned in Scott's related blog post ([https://scotthelme.co.uk/protect-
site-from-cyrptojacking-csp...](https://scotthelme.co.uk/protect-site-from-
cyrptojacking-csp-sri/)) SRI is a decent at least partial defence against this
kind of thing, but unfortunately it hasn't (in my experience) seem much in the
way of takeup as yet.

------
notspanishflu
Related tweet
[https://twitter.com/fransrosen/status/962709013329670145](https://twitter.com/fransrosen/status/962709013329670145)

"Same attack as described here: [https://labs.detectify.com/2017/07/13/a-deep-
dive-into-aws-s...](https://labs.detectify.com/2017/07/13/a-deep-dive-into-
aws-s3-access-controls-taking-full-control-over-your-assets/) … it's scripts
hosted in a S3-bucket without proper access controls"

Edit. Also see [https://scotthelme.co.uk/protect-site-from-cyrptojacking-
csp...](https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp-sri/)

------
pell
Are these miners effective enough? I guess, at scale they should have some
value but my initial gut feeling would lead me to believe that even a huge
botnet can hardly compete with dedicated hardware.

~~~
takluyver
Some cryptocurrency algorithms are designed to be less amenable to
acceleration with special hardware, so that CPU mining remains effective.
Monero, the one involved in this case, appears to be one such.

