Make-A-Wish website compromised to serve cryptojacking script
Visitors of the international website of the US-based non-profit Make-A-Wish Foundation have had their computing power misused to covertly mine cryptocurrency, Trustwave researchers have found.
The compromise
In-browser cryptomining is not illegal and many website owners prefer using as a money-making substitute for ads, but they usually inform the visitors about it.
In the majority of cases, though, covert cryptomining is a sign that cybercrooks have compromised the website, injected their own cryptomining script in it and are reaping the benefits. And this is exactly what happened to the Make-A-Wish Foundation website.
The cryptojacking CoinIMP script (check.js) injected into the website was being loaded from the drupalupdates.tk domain, which has been associated with a known campaign that has been exploiting a critical Drupal vulnerability (CVE-2018-7600, aka Drupalgeddon 2) to compromise websites since May 2018.
CoinIMP is a JavaScript miner that, similarly to the one offered by the infamous CoinHive service, mines Monero.
“What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Trustwave SpiderLabs researcher Simon Kenin pointed out.
“It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated. The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete.”
Keeping websites safe
As the Foundation’s site runs on Drupal – one of the most popular CMSs today – it’s highly likely that the attackers took advantage of CVE-2018-7600 or CVE-2018-7602 (another remote code flaw) to gain access and inject the offending script.
“We made attempts to contact the Make-A-Wish organization, and while they didn’t respond to us, we’re happy to note that the injected script was removed from their site shortly after our outreach attempt,” Kenin noted.
Administrators of Drupal-based websites are urged to update their installations to the latest version available if they don’t want their website to suffer a similar fate.
If they failed to do so by now, they are advised to make sure their websites haven’t been compromised already with cryptojacking scripts (or worse!).