Mining script

LA Times website injected with Monero cryptocurrency mining script

The cryptojacking attack appears to have lingered for weeks before being addressed, as it was configured not to maximize CPU usage. The hackers injected it through an unsecured AWS S3 bucket.

Build a slideshow, a pitch or a presentation? Here are the big takeaways:

  • An insecure AWS S3 bucket allowed attackers to inject a Monero mining script into a website run by the LA Times.
  • Heavy use of the Coinhive mining platform by hackers has led browser and anti-malware vendors to block access.

The Homicide Report, a website operated by the LA Times that lists those killed in Los Angeles County over the past 12 months, has been hacked to include a JavaScript miner for the Monero cryptocurrency. This attack, like many others, leveraged the Coinhive mining platform.

Although Coinhive is technically a legitimate operation, granting website owners the ability to mine cryptocurrency on end-user computers, the number of illegitimate uses of the service seems to outweigh legitimate uses. This month, thousands of government websites in the UK, US and Australia were infected with Coinhive’s mining script. “Browsealoud” assistive technology, intended to make websites navigable for visually impaired users, has been compromised, giving hackers a way to inject the mining script.

SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)

In the case of the LA Times website, an AWS S3 bucket mistakenly configured to be publicly writable was exploited by hackers to inject the mining script. Oddly, in this case, the script was not configured to run with max parameters, which may have allowed it to go unnoticed.

Troy Mursch, security researcher at Bad Packet Report, discovered the attack on the LA Times site. In a statement to ThreatPost, he estimated the script had been in use since at least February 9. While the LA Times declined to comment on ThreatPost, the script was removed from the website Thursday evening.

Coinhive persisted on the edge of acceptability for some time. The service has been used by The Pirate Bay since last September instead of traditional advertisements. The progressive political website Salon has also started using Coinhive for users who have blocked normal advertising through the use of ad-blocking browser extensions.

However, some of the same ad-blocking browser extensions continued to block Coinhive and browser-based cryptocurrency miners. Opera 50, released last December, blocks driving mining attacks by default. MalwareBytes, a popular anti-malware program, has been blocking Coinhive since September 2017.

The hackers persisted in trying to inject the Coinhive mining script into any possible attack vector. This month, attacks specifically designed for Android devices, Microsoft Word documents and the Telegram messaging app were discovered, along with a botnet called Smominru that used the NSA-developed EternalBlue vulnerability to transform servers Windows into a Monero mining monolith.

Madrid-based cybersecurity firm AlienVault has claimed in a new report that the North Korean government is exploiting Monero in cyberattacks. US Homeland Security Advisor Thomas Bossert cited North Korea as the source of the WannaCry attack, which also exploits the EternalBlue vulnerability.