400 popular Drupal based websites hacked to mine cryptocurrency

Vulnerability in Drupal CMS Converted Popular Websites into Monero mining platform.

Cryptojacking is nothing short of an epidemic since it is affecting consumers worldwide and security experts have no idea about how to deal with the situation. According to the findings of Bad Packets Report’s security researcher Troy Mursch, over 400 websites have been targeted by hackers with crypto-jacking this past weekend.

The sites are vulnerable to attack because these are using an outdated version of the Drupal Content Management System. The main targets in this campaign happen to be US-based websites since 123 US websites were identified to be the victim of this campaign with France coming at number two with 26 infected sites, Canada’s score is 19, Germany’s 18 and Russia’s 17 respectively.

US websites include some government websites including the government of Chihuahua; the Turkish Revenue Administration, and Peru’s Project Improvement of Higher Education Quality, tech firms such as Lenovo, San Diego Zoo, and US educational institutions websites.

US National Labor Relations Board, the University of California at Los Angeles, the Arizona Board of Behavioral Health Examiners and the City of Marion websites also got attacked and infected with cryptocurrency miners.

See: New malware mine cryptocurrency without open browser session

Mursch has been tracking the campaign and identified that it involves hijacking the PC’s processing power for generating Monero virtual currency. Users cannot even have the slightest hint that their PC is being used for mining cryptocurrency.

It must be noted that all the infected websites use similar JavaScript piece that is hosted on vuuwd.com. It is an obfuscated code that affects the performance of visitor’s computer as it is forced to dedicate 80% of its CPU resources to mine Monero.

What happens is that the miner that infects the PC remains active on the computer’s browser and as you load the website, it starts consuming processor power to perform crypto-mining. To make more money, hackers need to infect enough computers with crypto-miner. The downside is that the processor gets slowed down due to heavy workload and excessive electricity is consumed. Resultantly your PC’s performance deteriorates.

The Drupal CMS vulnerability being exploited basically makes it easy to launch code-execution attacks. It is dubbed as Drupalgeddon2. Though the flaw was patched by Drupal maintainers in March there are still many sites that aren’t updated and vulnerable to exploitation by crypto-miners.

As noted by Mursch in his blog post that there has been plenty of Drupalgeddon2 examples so it means the flaw is being ardently exploited by malicious cybercriminals.

“This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP,” wrote Mursch.

After the blog post from Mursch was published over the weekend, few of the infected websites got disinfected by Monday morning. The disinfected websites include the National Labor Relations Board’s website. Yet, the campaign is still active and continually compromising new websites since until weekend Mursch identified 348 infected websites and the number increased to over 400 by Monday morning.

See: Hackers Hide Monero Cryptominer in Scarlett Johansson’s Picture

Mursch also noted that apart from exploiting Drupalgeddon2, cybercriminals are also installing malware to conduct denial of service attacks on websites.

Website admins must immediately patch their systems if their website runs on Drupal CMS. If your website is hacked then apart from updating Drupal, you need to disinfect it as well. It is definitely going to be a tough task to accomplish since more than 1 million websites currently use the Drupal CMS and we have no idea how many haven’t been updated with the latest patch that provides protection from Drupalgeddon2.

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.