Researchers said they found cyptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.
The cryptojacking incident was found by Troy Mursch, a security researcher at Bad Packets Report, on Wednesday. He said the cryptominer has since been killed off. The cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content.
Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.
Mursch told Threatpost that in the case of the LA Times the miner was throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect. Typically, cryptojacking attacks are not throttled and use 100 percent of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.
“Depending on the throttle amount, the impact [on visitors’ CPUs] can vary greatly,” Mursch told Threatpost. “In the case with the LA Times website, it was throttled so low the average user probably wouldn’t notice it running in the background.”
That method appeared to have worked and kept the code secret for awhile. Mursch estimates the cyptojacking JavaScript code was hidden on the website since at least Feb. 9.
Mursch said he found the code after investigating an LA Times’ Amazon AWS S3 storage bucket that was misconfigured and giving anyone – including criminal cyptocurrency miners – the ability to write code to the server and the Homicide Report website.
The LA Times did not respond to a request for comment.
Luckily this case of #cryptojacking is throttled and won’t murder your CPU.
Using @urlscanio we find Coinhive hiding in:
https://latimes-graphics-media.s3.amazonaws[.]com/js/leaflet.fullscreen-master/Control.FullScreen.js pic.twitter.com/VOv5ibUtwJ— Bad Packets Report (@bad_packets) February 21, 2018
Mursch said he notified the LA Times via email about the cryptojacking malware and advised it to remove the code as soon as possible.
#Coinhive has just been removed from @latimes “The Homicide Report” website. pic.twitter.com/ngpfaKlVt4
— Bad Packets Report (@bad_packets) February 22, 2018
According to the security researcher, the Coinhive cryptomining software found on the LA Times’ websites has surreptitiously been used many times before both on UK and US government sites as well as other news publication sites. Earlier this week, vehicle maker Tesla reportedly fell victim to a cryptocurrency mining attack when misconfigured Amazon S3 buckets allowed criminals to plant cryptoming malware on the company’s cloud environment, according to researchers at RedLock.
“No one knows who this individual is, however Coinhive has claimed they terminated them,” said Mursch.
In order to prevent these types of incidents, Mursch recommended that companies properly secure their cloud services and set up some sort of monitoring for all their services.
“In the case of the LA Times and many others, the easiest prevention method is to ensure your cloud services, such as AWS, are properly secured,” he said. “In the LA Times case, it appears anyone could write to their AWS bucket which in turn led to the cryptojacking code being placed by miscreants.”
Source: ThreatPost