A security expert claims the Los Angeles Times website is mining the cryptocurrency Monero.
British cybersecurity expert Kevin Beaumont posted this to Twitter:
— Kevin Beaumont (@GossiTheDog) February 22, 2018
It was discovered by security researcher Troy Mursch. The Register raised the alert just two days after Beaumont warned that leaving files world writable and in an easily accessible place would make companies a target:
The problem isn’t just publicly readable S3 buckets, there’s also this. It’s a bag of fireworks waiting to go off (see also what happened to open MongoDB instances).
— Kevin Beaumont (@GossiTheDog) February 20, 2018
He claims the problem lies in Amazon’s AWS servers. Misconfigured S3 buckets – the places where businesses upload their data – have been found leaking data. Security firm UpGuard has had a merry time lately outing all the companies that have leaky S3 buckets.
Here’s where the Coinhive malware was hiding in the LA Times’ script:
Coinhive is legitimate software. If you own a website, you can embed it as an alternative to running ads for income.
It’s the same software plugin that Salon used to try out a new funding model.
If you want to block ads on Salon’s website, you have you to agree to let the site use your unused computing power to mine Monero.
But if you leave your defences down — say, in the form of a leaky AWS bucket — hackers can insert the code in your website and have the coins mined to their account.
Some of the bigger victims in the past couple of months include Politifact and Showtime.
At least one of the LA Times hackers was kind enough to leave a warning: