Unsecured AWS led to cryptojacking attack on LA Times

Cryptojackers have been discovered sneaking mining code on to a big brand’s website through the back door of a poorly secured Amazon AWS (Amazon Web Service) S3 bucket.

Researchers at the Bad Packets Report said they noticed last week that The Homicide Report, an interactive map of city murders offered by the LA Times, was running a Coinhive Monero miner.

Present since at least February 9, the mining was throttled to run at a CPU level of under 30% in the hope this would allow it to go unnoticed for longer.

Ironically, what led researchers to the miner was its presence on an LA Times’s AWS S3 bucket – left in an unsecured state with public write permissions turned on – and not what was happening on the site itself.

Researchers even found a message suggesting someone else had discovered the open access before either Bad Packets Report or the cryptojackers. This read:

Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.

Unfortunately, the message went unread or unheeded and the bad guys did find out. The bucket and website were eventually cleaned by the LA Times after researchers gave them the bad news.

The incident bears a passing resemblance to the recent cryptojacking attack on an AWS S3 bucket belonging to Tesla, although without a website being involved. In that incident, the root cause was that admins forgot to set a bucket password.

The interesting follow-up is how easily incidents can be connected to the bad actors behind them.

According to the researchers, the Coinhive site key used in this attack was the same one used two weeks ago to plant miners on thousands of websites, including government sites such as the American court system (uscourts.gov) and the UK Student Loans Company.

Coinhive reportedly terminated this account but Bad Packets alleges it was used to earn the attackers the grand sum of $24 (£17) from the time it was hiding on the LA Times site.

That doesn’t sound like a lot for up to two weeks on a big website, but this was only one page. Get the same script on to hundreds or thousands of sites for any length of time and it’s not hard to see how this business model could be lucrative.

It’s a phenomenon being driven by the mania for virtual currencies, helped along by the simplicity of the earn-as-you-go business models promoted by cryptomining services.

What damage did this do?

From user’s point of view, not much. As long as miners are just stealing CPU time, they are a nuisance that can be stopped by shutting down the browser.

Still, what starts as a parasitic attack could, with easy access to cloud buckets and websites, quickly turn into something much more dangerous in the blink of an eye. The worry is that it there appears to be no shortage of cloud targets to rummage for.