Cryptojacking Attack Targets Make-A-Wish Foundation Website

Hackers took advantage of an unpatched Drupal vulnerability in the organization’s website to launch a cryptojacking attack.

Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation’s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit’s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.

Trustwave researchers discovered the cryptominer on the Make-A-Wish International’s website and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.

“Embedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals’ pockets, making their ‘wish’ to be rich, come ‘true,'” said Simon Kenin, security researcher with Trustwave in a Monday post outlining the discovery. “It’s a shame when criminals target anyone but targeting a charity just before the holiday season? That’s low.”

The CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor’s phone, tablet or computer.

According to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the Drupalgeddon 2 vulnerability, patched in March.

“A quick investigation showed that the domain ‘drupalupdates.tk’ that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,” said Kenin.

While a patch for the critical remote-code execution bug (CVE-2018-7600), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still vulnerable.

This cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.

Kenin said he reached out to the Make-A-Wish organization, but didn’t hear back – however, the injected script has since been removed from the site.

“We are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,” A Make-A-Wish spokesperson told Threatpost. “No Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.”

In the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.

“Drupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,” he said. “The cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.”

Suggested articles