Incident Details
| Victimized Company: | The Los Angeles Times |
| Incident Dates: | 2018-02-09 to 2018-02-22 |
| Disclosure Date: | 2018-02-21 |
| Current Status: | Threat Actor Unknown |
LA Times Cryptomining
In February 2018, The Los Angeles Times was unwittingly part of a crypto jacking scheme. A publicly writable S3 Bucket on their website was discovered and configured to serve a Coinhive Monero Miner Javascript code. The injected code used the CPU power of any browser that visited the site.
Incident
Details of the Incident
In February 2018, Security Researcher Troy Mursch discovered a crypto-jacking script running on The Los Angeles Times website. The script came from the website known as Coinhive, a now shutdown crypto-mining business, that enabled users to inject designed Javascript code that would mine Monero by using the CPU processing from the site’s visitors’ devices.
The discovered vulnerability was due to a misconfiguration in The Los Angeles Times AWS S3 bucket that allowed write access to anyone. An unauthorized 3rd party took advantage of this opening and modified a Javascript file inside the bucket, adding the Coinhive script to begin mining. According to Mursch, The code was located on The Los Angeles Times Homicide Report Web page, a page with frequent visitors using the website scanning tool urlscan.io1.
Mursch states that “the miner was throttled to reduce the impact on visitors’ CPUs and would be harder to detect” compared to the traditional full 100% CPU throttle that most Crypto Jackers use. Mursch said the code might have at least been there since February 9th. Mursch emailed The Los Angeles Times, advising them to remove the malicious javascript.
While researching this, Mursch discovered2 another file, BugDisclosure.txt, which contained a warning to the site operators, urging them to secure it.
Timeline
| Date | Event |
|---|---|
| February 9th, 2018 | First known evidence the LA Times’ S3 Bucket hosted the Coinhive miner. |
| February 21st, 2018 | Security Researcher Troy Mursch identifies that unauthorized users uploaded a cryptocurrency miner to the LA Times website. |
| February 22nd, 2018 | The Los Angeles Times removes the Coinhive code from the Homicide Report page. |
Attribution / Perpetrator
The threat group has never been identified or disclosed.
Summary of Coverage
- Urlscan.io: The tool used to discover the Coinhive Code - February 21, 2018 \
- Bad Packets Report: Original Tweet report by Troy Mursch - February 21, 2018 \
- Threat Post: Interview with Security Researcher who discovered the Code - February 22, 2018 \
- RegMedia: The injected code found on The Los Angeles Times Website - February 22, 2018 \
- The Register: LA Times homicide site hacked to mine crypto-coins on netizens’ PCs - February 22, 2018
Cloud Security lessons learned
- The LA Times did not have a cloud security posture management (CSPM) tool in place or had not prioritized the remediation of findings.
- The LA Times did not have any file integrity checking in place to ensure that the code served customers was verified and from a known source repository