The LA Times website was found to be hosting crypto-mining software as a result of a hack.
According to Troy Mursch, a security researcher at the Bad Packets Report, attackers were able to exploit an improperly configured Amazon Web Services (AWS) S3 cloud storage bucket to gain access to the site, injecting the Coinhive software script into the proceedings. The affected page was the Homicide Report, which reports on those murdered in the last 12 months in Los Angeles county.
Coinhive, which is estimated to impact about a quarter of organizations globally, performs online mining of Monero cryptocurrency when a user visits a web page. Implanted JavaScript uses the computational resources of the end user’s machines to mine coins, impacting system performance. While it’s offered as a legitimate service for webmasters looking for a monetization alternative to advertising, criminals often embed it into websites without the site knowing, and unscrupulous websites use it without letting site visitors know.
In this case, the script was set to mine at non-maximum levels, thus consuming less compute power and allowing it to go undetected, possibly for as long as two weeks, according to the researcher.
It’s a different take on the usual S3 headlines, Zohar Alon, co-founder and CEO, Dome9, told Infosecurity.
"Last year, we saw a spate of breaches where hackers went after valuable data in the public cloud. But data is not the only valuable asset in the cloud,” he said. “Now we're starting to see hackers steal compute cycles for crypto-mining. By flying under the radar, these illegal mining operations can go undetected for months, racking up the public cloud bill and costing millions."
Carl Wright, chief revenue officer, AttackIQ, pointed out that the frequency of cloud misconfiguration incidents should be putting companies on notice to lock down their infrastructure. “This is seriously getting ridiculous,” he said via email.
“It’s another all-too-common tale for organizations – and it could have been avoided,” he said. “The attack surface has significantly expanded for many enterprises – without any guarantee of uniform security controls and processes. Consequently, it’s even more imperative that organizations assume attackers are constantly testing security controls for misconfigurations. If organizations are not continuously validating their security controls at this stage of the game, they are going to end up a headline. How many more epic failures that could have been prevented will it take before people start testing?”