A new type of hacker is attacking corporate servers across the Internet, but it isn’t company data they’re after — its compute power. According to a recent report, the LA Times is the latest major website to be affected by the cryptojacking trend.
Cryptojacking describes the act of hijacking servers or client resources for the purpose of mining cryptocurrency. This could happen as the result of the direct hijacking of the website’s server or cloud account, utilizing its compute power to mine for cryptocurrency. It could also refer to the injection of malicious code in a website that utilizes the CPU power of the visitor’s browser.
In both of these cases, extra clock cycles are spent earning money for third parties without the knowledge or consent of the website’s owners or the visitors of that site.
Legitimate Uses of the Technology
There are legitimate uses for this type of technology. For example, some websites choose to forgo the traditional ad-based model for monetization in favor of enabling its users to contribute spare CPU during their visit. One company facilitating this action is Coinhive.
Popular websites, including Salon, have reportedly opted to use the Coinhive script to make up losses that ad blockers and other anti-advertising tools have created.
Problems arise, however, when Coinhive’s script is manipulated and applied to websites without their consent.
LA Times, Showtime Networks, and More
The LA Times hosts an interactive map of city murders on its website. This map is a useful resource for LA Times’ audience, but for several weeks, it reportedly hosted the Coinhive script.
Last September, Showtime’s website network was found to be infected with Coinhive’s script.
Coinhive isn’t the only source of extra income for these cryptojackers. Cybersecurity firm Check Point recently released a list of top malware offenders that affect what it estimates is 55% of businesses worldwide.
Unsecured S3 Buckets
Researchers from Bad Packets Report noticed the script on the LA Times site after stumbling across an open LA Times-owned AWS S3 bucket that was left unsecured and writable to the public. This discovery is not necessarily directly linked to the hijacked webpage, but it does serve as a vector for another form of cryptojacking which affected Tesla over the past month.
In this type of cryptojacking, cloud compute resources are used by hackers to generate cryptocurrency for themselves without the knowledge or consent of the owner of the cloud account. An open S3 bucket serves as an entrance vector for this activity.
Cryptojacking is not new, but it is rapidly exploding as the values of cryptocurrency continue to increase and the demand for large-scale compute resources along with it.