Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation’s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit’s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.
Trustwave researchers discovered the cryptominer on the Make-A-Wish International’s website and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.
“Embedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals’ pockets, making their ‘wish’ to be rich, come ‘true,'” said Simon Kenin, security researcher with Trustwave in a Monday post outlining the discovery. “It’s a shame when criminals target anyone but targeting a charity just before the holiday season? That’s low.”
According to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the Drupalgeddon 2 vulnerability, patched in March.
“A quick investigation showed that the domain ‘drupalupdates.tk’ that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,” said Kenin.
While a patch for the critical remote-code execution bug (CVE-2018-7600), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still vulnerable.
Kenin said he reached out to the Make-A-Wish organization, but didn’t hear back – however, the injected script has since been removed from the site.
“We are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,” A Make-A-Wish spokesperson told Threatpost. “No Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.”
In the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.
“Drupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,” he said. “The cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.”