Nearly 400 websites running outdated and vulnerable versions of the Drupal content management system, many affiliated with governments and educational institutions, were recently discovered to be infected with Coinhive-based cryptomining software.

In a May 5 post on his "Bad Packets Report" blog site, security researcher Troy Mursch says that the  Monero cryptojacking campaign he uncovered compromised 391 sites in total, more than a quarter of which are U.S.-based. Prominent victims included the San Diego Zoo, Lenovo, DLink (Brazil), UCLA, the National Labor Relations Board, the Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC), and the government of Chihuahua, Mexico.

Mursch explains that the sites all had Coinhive or a throttled implementation of Coinhive injected into a JavaScript library. All of the sites had a Coinhive site key that pointed to the domain, which was registered with fraudulent WHOIS information and has been used in previous Monero mining operations.

The researcher notes that the attacker was sloppy in that he used a self-signed SSL certificate instead of a trusted one, meaning the payload is not injected using HTTPS. Consequently, in at least some cases, Coinhive failed to load on the sites because the connection to the server was blocked.

Drupal-based websites have emerged as an alluring target for cryptomining campaigns of late, following the discovery of the Drupalgeddon 2.0 vulnerability that was patched last March. It is not clear if the attackers in this case exploited this particular bug, however.

"We've seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks," Mursch writes. "This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale.