In what is starting to become a regular occurrence these days, the LA Times suffered from a cryptojacking attack due to an unsecured AWS server.
A poorly fortified S3 bucket, what else?
Researchers at the Bad Packet Repot noticed a week or so back, revealing that The Homicide Report offered by the LA Times was running a Coinhive Monero miner. This, in case you’re unaware, is an interactive map of city murders offered by the newspaper.
The threat has been present since February 9 actually, with the mining throttled to run at a CPU level of under 30% in the hopes that it would go on undiscovered longer.
Speaking of discoveries, someone even left a message after they found open access:
“Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.”
Ironically, what led the researchers to the its presence was not what was happening on the website, but the AWS S3 bucket itself, which was left in an unsecured state with public write permissions turned on.
Both the bucket and the website were eventually cleaned by LA Times after they received the bad news from the researchers. But not before it was allegedly used to earn the attackers the grand sum of $24 from the time the miner was hiding on the LA Times website — or a single page, rather.
Goes to show just how simple compromising a large organization can be these days.
Unnoticed, at that.