Attack Type: CryptoCurrency Mining

Delivery: Malicious script hosted on LA Times’ AWS S3 Bucket

Amazon allows for arbitrary key-value storage through its S3 service. Data is stored in “buckets,” and one owned by the L.A. Times was left in an unsecured state with public write permissions. This allowed attackers to upload a JavaScript cryptocurrency miner that was ultimately served unknowingly on victim websites. This is not the first instance of security issues due to misconfigured AWS S3 buckets. Reports show that almost 50 publicly available AWS buckets have been found in systems controlled by the organizations whose websites serve millions of users daily.

Just in the past six months, documents have been exfiltrated from unprotected S3 buckets belonging to Verizon, the NSA, the U.S. military, French marketing company Octoly, and analytics firm Alteryx, which included data from credit reporting bureau Experian and the U.S. Census Bureau. Most recent incidents include Tesla, which left a Kubernetes console unprotected that had AWS access credentials, and Fedex, which openly exposed an archive of more than 119,000 scanned documents–including passports and drivers licenses–plus customer records including postal addresses.

Learn more about threats on Cisco Umbrella’s Threat Spotlight.

This guest blog is part of a Channel Futures sponsorship.