Drupal sites targeted in latest wave of cryptojacking campaign

Cryptojacking attacks are becoming increasingly prevalent, as scammers exploit vulnerabilities in websites to hack the resources of unsuspecting visitors. This type of scam, which mines cryptocurrency for the hackers in the background, has already affected a number of websites, leveraging cloud-based mining to turn attacks into cash.

Now, it looks as though a new, major wave of cryptojacking attack is underway, specifically targeting websites using the Drupal content management system (CMS).

Security researcher Troy Mursch recently revealed on Bad Packets Report website how hackers have deployed cloud-mining script Coinhive in websites including San Diego Zoo, and Mexico’s Chihuahua government, amongst others. Initial reports uncovered as many as 400 similarly affected sites, including a number of domains operated by universities and government agencies.

In both of the above examples, the script was injected in the “/misc/jquery.once.js?v=1.2” JavaScript library, which researchers extrapolated to identify countless other examples of the hack in action.

Cryptojacking significantly increases CPU usage for website visitors, and can undermine important digital infrastructure—the list of affected government sites as an example in this case. In some cases, because CPU usage is unthrottled, devices can overheat, with 100 percent of their processing power being used up in the mining process.

So what can website administrators do to protect against these threats? Mursch recommended vulnerable websites immediately take steps to protect themselves.

“We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,” he wrote. “This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

Although the Drupal security already has an FAQ documenting the risk level and mitigation steps, Mursch advised users “to take further remediation steps” because “installing the update won’t retroactively ‘unhack’” the website.

With attacks of this kind likely to become increasingly common, a greater awareness of the risks is required. The development will be concerning for website owners, but serves as a reminder of the importance of using the latest versions of any CMS.