Cryptocurrency Miners Exploit Widespread Drupal FlawResearcher: 400 Sites or More Fall Victim to Massive, Forced Monero Mining Operation
A remote code execution vulnerability revealed in late March in the Drupal content management system is now being used on a large scale for mining virtual currency.
The list of websites that have fallen victim to cryptocurrency hijacking attacks now numbers more than 400, with those affected including Lenovo, the India Olympic Association and the San Diego Zoo. Various U.S. government sites, including the National Labor Relations Board and the Office of Inspector General of the U.S. Equal Employment Opportunity Commission, have also been hit.
"There's most definitely more," says Mursch, who published a blog post describing his findings on Saturday. "It's not an exhaustive list. Other sites will unfortunately be detected. At least at this point it's another reminder: Update your Drupal installations or this may happen to you."
Mursch says that as with other mass attacks online, notification is quite a challenge. He's started notifying governments and universities, but is hoping word will spread so other affected sites can be quickly remediated.
The code planted on the infected websites "mines" the privacy-focused virtual currency monero. Mining is the process that virtual currencies use to verify transactions on a blockchain.
When users visit an infected website, their computer begins generating hashes as part of a pooled effort to complete a block for the blockchain. If a pool completes a block, monero gets doled out as a reward.
Although users who visited an affected site usually remain unaware that their system is being used for mining, it can have an effect on a computer if the mining software is configured to use a large percentage of computing power. Additionally, it wastes electricity. The mining ends, however, when someone closes the browser tab.
But virtual currency mining is probably the least harmful action that could result from the "highly critical" vulnerability, according to the Drupal SA-CORE-2018-002 security alert.
The remote code execution vulnerability, which affects Drupal 6, 7 and 8, could also be used by attackers to fully compromise a system. In fact, the vulnerability is so severe that its disclosure has been dubbed "Drupalgeddon 2." All Drupal administrators should upgrade immediately to Drupal 7 or 8 Core, according to the security alert.
Buzz Around Coinhive
Bad Packets Report's Mursch found the affected websites were loading a slightly modified version of the Monero mining script developed by Coinhive.
Coinhive was the subject of a recent in-depth report by cybersecurity blogger Brian Krebs. The mining code often turns up on hacked websites, although it had been positioned as an alternative method to advertisements for generating website revenue.
Coinhive takes a 30 percent share of mining rewards. Critics have called on the service to, at a minimum, not profit when the code is covertly slipped into websites without users' knowledge.
Scott Helme, a U.K.-based security expert, says that although Coinhive's terms of service prohibit sneaky mining, "there are absolutely no technical measures, whatsoever, in place to stop you from doing so.
If they wanted to stop their product being abused, which they claim they do because its malicious use is damaging their reputation, they could try to put some technical measures in place," Helme says in a Monday blog post.
At least 4,200 websites, including those run by the U.S., U.K. and Australian governments, unwittingly loaded the tainted Browsealoud tool, causing their customers' computer to begin mining Monero. The malicious code ran for about four hours before Browsealoud shut it down.
The good news is that there is now a variety of extensions that users can employ on the client side to detect and stop virtual currency mining (see Cryptojacking: Mitigating the Impact).
But the responsibility to truly stopping it relies on websites ensuring they're not infected in the first place.
There are two W3C standards that can help: subresource integrity, or SRI, and content security policy, or CSP. SRI allows for an integrity attribute to be added to a script tag. When a tampered script is loaded, its hash will be checked. If there's not a match, the browser won't load it.
CSP is a whitelisting tool. Admins can whitelist the approved resources and scripts, which would block a Coinhive script (see Cryptocurrency Miners: How to Shield Browsers From Bad Guys).