Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs
And they say there's no money to be made in newspapers
A Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days – after hackers snuck mining code onto its webpages.
The newspaper's IT staffers left at least one of the publication's Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to freely change, update, and tamper.
Miscreants seized upon this security blunder to slip CoinHive's Monero-mining JavaScript code into the LA Times' interactive county homicide map at homicide.latimes.com.
People visiting this site will inadvertently start crafting alt-coins for whoever injected the code, unless they have antivirus or ad-blockers installed that prevent such scripts from loading. This particular coin-crafting script has remained hidden on the website since February 9.
For now it's probably a good idea to avoid that website and other LA Times online properties until the bucket is protected – software more malicious than a miner could be uploaded and injected, such as password sniffers and drive-by malware installers.
The scumbags who implanted the hidden crypto-miner were not the only ones to find the newspaper's world-writable S3 bucket. Others left a warning note, with the filename BugDisclosure.txt, in the vulnerable cloud storage urging technicians to secure the account:
Hello, This is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.
The bucket is used to host graphics and other material for the daily paper's website. It appears an administrator has not only left read permissions open on the silo, but also enabled global write permissions, meaning anyone so inclined would be able waltz right in and inject code and other files into the paper's websites.
Naturally, someone soon did just that – the malicious JavaScript code can be found perched atop some innocent code within the murder map.
We have asked the LA Times for comment. A spokesperson was not immediately available. Infosec researcher Troy Mursch, who has been tracking these kinds of crypto-jacking attacks, also reached out earlier today to the Times, and said he had no response. We also reported the mining activity to CoinHive.
This is not the first case of a biz being exposed by an incorrectly configured S3 storage bin. Security researchers have created a cottage industry out of combing the internet for AWS buckets that have been improperly configured, resulting in the accidental exposure of millions of records and pieces of personal information.
Only this week were experts warning that it's not just world readable silos people need to be worried about – world writeable ones allow miscreants to inject malware into websites, encrypt documents and hold them to ransom, and so on.
Hundreds of warning notes, alerting IT admins to insecure world-writable buckets, have recently appeared in S3 silos, courtesy of gray-hat hackers.
The problem isn’t just publicly readable S3 buckets, there’s also this. It’s a bag of fireworks waiting to go off (see also what happened to open MongoDB instances).
— Kevin Beaumont (@GossiTheDog) February 20, 2018
Needless to say, if you administer one or more S3 storage buckets, now would be a good time to make sure your access controls (both read and write) are properly configured to keep unauthorized netizens out. Amazon has tools available to prevent this kind of cockup. S3 silos are, by default, not accessible to the public internet. ®
Updated to add at 00:56 UTC
The CoinHive code has been stripped from the LA Times' website.