UPDATE – Hundreds of websites running on the Drupal content management system – including those of the San Diego Zoo and the National Labor Relations Board – have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.
The attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability (CVE-2018-7600) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.
“After the scan completed, the full scope of this cryptojacking campaign was established,” Mursch wrote in a report posted Saturday. “Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.”
This #cryptojacking outbreak started at the zoo and quickly spread to 400+ other sites. https://t.co/SNRtysBcsi
— Bad Packets Report (@bad_packets) May 7, 2018
As of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).
Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this #cryptojacking campaign is still ongoing. https://t.co/AwO2oe1znp
— Bad Packets Report (@bad_packets) May 8, 2018
The cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.
“Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,” Mursch wrote. “The malicious code was contained in the ‘/misc/jquery.once.js?v=1.2’ JavaScript library.”
Mursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload – however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive’s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.
That domain used to inject the malware was vuuwd[.]com, according to Mursch. “Once the code was deobfuscated, the reference to ‘http://vuuwd[.]com/t.js’ was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.”
The site key used, meanwhile, was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” Mursch said he confirmed the key was still active by checking in Fiddler.
Mursch said that the miner was only slightly throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect.
Typically, cryptojacking attacks are not throttled and use 100 percent of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.
When trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that “it belongs to ‘X XYZ’ who lives on ‘joker joker’ street in China,” he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.
While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. pic.twitter.com/IEeqXrAKTT
— Bad Packets Report (@bad_packets) May 4, 2018
The domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: “While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,” he said.
Drupalgeddon 2.0, which has been patched for over a month now and impacts versions 6,7, and 8 of Drupal’s CMS platform, “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities and Exposures bulletin back on March 28.
Since Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up – including a recent attack, leveraging the “Kitty” cryptomining malware, which cashed in on the vulnerable Drupal websites.
Beyond the Kitty malware, researchers have found a botnet, dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.
“We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,” said Mursch in the report. “This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”
