MANILA, Philippines – Cybercrime groups are moving towards websites using the Drupal content management system in order to earn cryptocurrency illicitly, an act also known as cryptojacking.
Following the disclosure of two vulnerabilities – CVE-2018-7600 and CVE-2018-7602 – which left one million websites at risk, numerous sites took the chance to update their sites. Those who didn't, however, were left at the mercy of hackers who used proof-of-concept attack code to attach cryptocurrency miners to websites.
Most recently, around 350 websites were taken advantage of in a new campaign outlined by Troy Mursch of Bad Packets.
Among those infected are the University of Batangas website, Lenovo, UCLA, and the Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC).
Mursch explained the bad actors hid a version of the Coinhive cryptocurrency miner inside a file labeled "jquery.once.js?v=1.2." The file was loaded onto each of the compromised Drupal sites, which essentially enabled attackers to mine for cryptocurrency using visitors' processing power.
He also confirmed the infection on at least 350 sites where the mining was occurring.
Mursch also suggested, in addition to updating the affected sites, that users take advantage of legitimate coinminer blockers to prevent being abused by mining hacks. – Rappler.com