Researchers said they found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.
Mursch told Threatpost that in the case of the LA Times the miner was throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect. Typically, cryptojacking attacks are not throttled and use 100 percent of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.
“Depending on the throttle amount, the impact [on visitors’ CPUs] can vary greatly,” Mursch told Threatpost. “In the case with the LA Times website, it was throttled so low the average user probably wouldn’t notice it running in the background.”
Mursch said he found the code after investigating an LA Times’ Amazon AWS S3 storage bucket that was misconfigured and giving anyone – including criminal cyptocurrency miners – the ability to write code to the server and the Homicide Report website.
The LA Times did not respond to a request for comment.
#Coinhive found on @latimes "The Homicide Report"
Luckily this case of #cryptojacking is throttled and won't murder your CPU.
Using @urlscanio we find Coinhive hiding in:
— Bad Packets Report (@bad_packets) February 21, 2018
Mursch said he notified the LA Times via email about the cryptojacking malware and advised it to remove the code as soon as possible.
#Coinhive has just been removed from @latimes "The Homicide Report" website. pic.twitter.com/ngpfaKlVt4
— Bad Packets Report (@bad_packets) February 22, 2018
According to the security researcher, the Coinhive cryptomining software found on the LA Times’ websites has surreptitiously been used many times before both on UK and US government sites as well as other news publication sites. Earlier this week, vehicle maker Tesla reportedly fell victim to a cryptocurrency mining attack when misconfigured Amazon S3 buckets allowed criminals to plant cryptoming malware on the company’s cloud environment, according to researchers at RedLock.
“No one knows who this individual is, however Coinhive has claimed they terminated them,” said Mursch.
In order to prevent these types of incidents, Mursch recommended that companies properly secure their cloud services and set up some sort of monitoring for all their services.
“In the case of the LA Times and many others, the easiest prevention method is to ensure your cloud services, such as AWS, are properly secured,” he said. “In the LA Times case, it appears anyone could write to their AWS bucket which in turn led to the cryptojacking code being placed by miscreants.”