If you run a Drupal website without the latest security patches it’s time to update: hackers are using known exploits to install cryptojackers.
The website for the San Diego Zoo was hijacking user CPUs to mine cryptocurrency last week. Security researcher Troy Mursch discovered this and 300 other websites—many run by government entities around the world—were highjacked to mine cryptocurrency. Here’s Mursch writing for Bad Packets Report:
Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator—they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IoCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.
Here’s a full list of exploited sites, which includes the US National Labor Relations Board, the City of Marion, Ohio, and the Turkish Revenue Administration. Even tech companies like Lenovo had this problem.
Drupal is an open source content management system used by millions of websites. Many webmasters using the protocol aren’t quick when it comes to installing updates, often because of dependency conflicts. This means known exploits are left unpatched, leaving them vulnerable to this kind of code injection.
Not a webmaster, but worried about this? Here’s how to block cryptocurrency minters in your web browser. Google Chrome and other browser should really block this by default, but until they do you have to protect yourself.