Drupalgeddon2: Cryptojacking Epidemic on Vulnerable Drupal Sites

So far over 400 infected sites have been discovered to have been infected with Monero (XMR) mining malware. The sites have all been Drupal sites which have not been kept updated to the latest version, that suffer from the Drupalgeddon2 RCE flaws.

How can I protect myself?

  • It is strongly urged that you immediately update your site’s Drupal CMS (content management system) as soon as possible.
  • It is also strongly urged that you check your server for any PHP backdoor that may have been installed by the attacker, for later access, even if the site has been updated, as well as for CoinHive or other Monero mining software.
  • The cryptojacking exploit has been found to have 400 actively mining, malware infected sites discovered, but over a million sites use Drupal CMS and may be vulnerable.
  •  Two vulnerabilities —CVE-2018-7600 and CVE-2018-7602 have allowed the attackers to gain access to the infected machines.

Two cryptojacking campaigns, one CMS

Researcher Troy Mursch published his findings of an investigation into the cryptojacking of Drupal sites on May 5, 2018. Prior to his uncovering of the recent campaign, another cryptojacking campaign called the “Kitty Malware” was discovered by web security firm Imperva.

Both exploits are similar in that they exploit the computing power of browsers or servers of the site to mine Monero, either with CoinHive or similar mining software. Using the CPU power of the user’s browser or even of the website’s server itself to mine the cryptocurrency by hijacking computing power. Both exploits also exclusively target the Drupal CMS, that has not been updated. Drupal is a little complicated for novice users to update, so many sites are actually vulnerable to exploit.

Why Monero?

Monero is a privacy-focused cryptocurrency which has faced scrutiny recently by Japanese regulators, who want it banned from Japanese cryptocurrency exchanges due to the privacy it affords users, making AML/KYC policies (anti-money laundering/know your customer) effectively useless. Monero has more recently been adopted by the Dark Web as one of the preferred currencies alongside Bitcoin, Dash, and Z-cash. All of these coins offer private transactions that make it hard for investigators track the movement of funds or the identity of the users. This naturally benefits the attackers due to the privacy-centric qualities of Monero, and also the Asic-resistant mining algorithms which make it possible to mine the cryptocurrency with less resource-intensive machines.

A look at both cryptojacking campaigns

The “Kitty Malware” uses a Monero miner from webminerpool.com which is similar to the CoinHive malware, injected into sites in a file called “me0w.js.”. Attackers have also managed to install a backdoor on site’s servers, allowing them access at a later date even if steps have been taken to prevent the cryptojacking such as updating Drupal. Researchers warn to check for these backdoors or to completely re-install from scratch.

The second exploit found by Troy Mursch, is injected into vulnerable sites via a file named  “jquery.once.js?v=1.2,”. The same precautions are advised, to prevent attackers from exploiting your site.

In conclusion

Be careful out there folks, and make sure your Drupal CMS is up to date to prevent your site from cryptojacking your traffic. Troy Mursch found that many sites including government sites, universities, and other high profile sites have already been infected and are actively mining Monero for the attackers. Make sure to take the proper countermeasures to protect yourself.

Leave a Comment