Drupal CMS Cryptojacking Campaign Is Spreading, Attacking Websites
Drupal Sites Targeted by Large Cryptojacking Campaign
With cryptocurrencies growing in interest all over the world, some hackers invented new ways to mine virtual currencies. By injecting a malicious code in some websites, the hackers are able to steal the unused CPU power of the visitors. But it seems that some websites are more vulnerable than others. We are talking about Drupal sites.
Massive Cryptojacking Attack
According to Bad Packets, there was an ongoing cryptojacking campaign affecting different websites, including the San Diego Zoo and the government of Chihuahua, Mexico. The site explains that both sites are not related with each other, but they use an ‘outdated and vulnerable’ version of the Drupal content management system. But apparently, there were more than 300 websites affected by the same cryptojacking campaign.
The report presented by Bad Packets reads as follows:
The historical DNS data collected from SecurityTrails revealed that the domain name vuuwd.com, was used previously in Monero (XMR) mining operations through mineXRM.com. The report says that they have switched from a mining pool with 1% fee to Coinhive, who takes 30% of all the mining proceeds.
The important conclusion was that all the 348 infected websites analyzed were using an outdated version of the Drupal content management system. In the past, the Drupalgeddon 2 has been exploited as well. Those websites using Drupal need to change to the latest available version to avoid being infected by Coinhive injections.
There is a website that was created to help test your web browsers to see if it has been infected by cryptojacking malware – find our review of that here – also be sure to see our report on Ahref's cryptocurrency hijacking mining research they released a few months ago.