Security

L.A. Times website injected with Monero cryptocurrency mining script

The cryptojacking attack appears to have persisted for weeks before being addressed, as it was configured to not max out CPU usage. Hackers injected it through an unsecured AWS S3 bucket.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • An unsecured AWS S3 bucket allowed attackers to inject a Monero mining script into a website run by the L.A. Times.
  • Extensive use of the Coinhive mining platform by hackers has led browser and anti-malware vendors to block access outright.

The Homicide Report, a website operated by the L.A. Times that lists people killed within in Los Angeles county over the last 12 months, was hacked to include a JavaScript miner for the Monero cryptocurrency. This attack, like many others, leveraged the Coinhive mining platform.

While Coinhive is technically a legitimate operation, granting website owners the capability to mine cryptocurrency on the computers of end users, the number of illegitimate uses of the service seem to outweigh legitimate ones. This month, thousands of government websites in the UK, US, and Australia were infected with Coinhive's mining script. The assistive technology "Browsealoud," intended to make websites navigable for users with visual impairments, was compromised, giving hackers a way to inject the mining script.

SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)

In the case of the L.A. Times website, an AWS S3 bucket that was erroneously configured to be publicly writable was leveraged by hackers to inject the mining script. Curiously, in this instance, the script was not configured to run at max settings, which may have enabled it to go by undetected.

Troy Mursch, a security researcher at the Bad Packets Report, discovered the attack of the L.A. Times website. In a statement to ThreatPost, he estimated that the script had been in use since at least February 9th. While the L.A. Times declined comment to ThreatPost, the script was removed from the website late Thursday.

Coinhive has persisted on the edge of acceptability for some time. The service has used by The Pirate Bay since last September in lieu of traditional advertisements. The progressive politics website Salon has also started using Coinhive for users who have blocked normal advertising through the use of ad-blocking browser extensions.

However, some of the same ad-blocking browser extensions have proceeded to block Coinhive and related browser-based cryptocurrency miners. Opera 50, released last December, blocks drive-by mining attacks by default. MalwareBytes, a popular anti-malware program, has blocked Coinhive since September 2017.

Hackers have persisted in attempting to inject the Coinhive mining script into any possible attack vector. This month, specifically crafted attacks for Android devices, Microsoft Word documents, and the Telegram messaging app have been discovered, as well as a botnet called Smominru which used the EternalBlue vulnerability developed by the NSA to turn Windows servers into a Monero mining monolith.

Madrid-based cybersecurity firm AlienVault has claimed in a new report that the North Korean government has been mining Monero in cyberattacks. Thomas Bossert, US Homeland Security advisor, cited North Korea as being the originator of the WannaCry attack, which also leverages the EternalBlue vulnerability.

Also see

cryptosteal.jpg
Image: iStockphoto/DenisKot

About James Sanders

James Sanders is a Writer for TechRepublic. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.

Editor's Picks

Free Newsletters, In your Inbox