Over the last seven months, we've witnessed a large growth in malicious cryptocurrency mining operations. This activity, commonly known as cryptojacking, steals the computational (CPU) resources of victims' device to mine cryptocurrency.
In March 2018, a highly critical flaw dubbed "Drupalgeddon 2" was disclosed that affected all previous versions of Drupal. This CMS is a popular alternative to WordPress and is used by many universities and government organizations worldwide. A proof of concept (PoC) demonstrating this vulnerability was published by Check Point Research in April 2018. This PoC highlighted the severity by illustrating the relative ease of performing the exploit to gain administrator access on the target server.
How many Drupal websites are vulnerable?
Researchers recently found over 100,000 Drupal websites are running outdated and vulnerable versions.
These websites are at risk of being compromised and unfortunately we already have seen hundreds of them exploited for malicious purposes. The most common trend found was the affected sites were used to host cryptojacking scripts.
Drupal Cryptojacking Campaigns
The first and smallest cryptojacking campaign uses Crypto-Loot, which is a lesser known alternative to Coinhive. This campaign uses the "jquery.once.js?v=1.2" library to inject Crypto-Loot which forces visitors to mine cryptocurrency. The most notable site found is the "The Situation Room Experience" which is maintained by the US federal government.
The outdated Drupal version of situationroom.archives.gov was confirmed by visiting CHANGELOG.txt. In this case, the installation should be updated to version 7.58 or later. These findings were shared with US-CERT and the website was taken offline for maintenance on May 24, 2018.
The second and largest cryptojacking campaign affected hundreds of compromised Drupal sites including those of Lenovo, UCLA, the San Diego Zoo, and US federal government agencies.
The San Diego Zoo
UCLA Atmospheric & Oceanic Sciences
Lenovo.com User Portal
EEOC Office of Inspector General
Each affected site is using an outdated and vulnerable version of Drupal. Coinhive is injected via obfuscated code found in "jquery.once.js?v=1.2" that points to the domain name vuuwd[.]com.
Performing a WHOIS lookup for the vuuwd[.]com, we unfortunately find blatantly false information:
However, looking into this domain name further, we find some interesting details available only on SecurityTrails.com.
Prior to its use in the Drupal cryptojacking campaign, we clearly see this domain was used in cryptocurrency mining operations. It's interesting to see the campaign operator switched from a mining pool (minexmr.com) that only has a 1% fee to Coinhive, which takes a 30% cut of all XMR mined using their platform. It's also possible they were banned from the mining pool as it's not unprecedented for pool operators to cut off malicious users.
The historical DNS records also provide a timeline of when the cryptojacking campaign was briefly inactive while the domain was briefly blackholed to 127.0.0.1 on May 8, 2018 after US-CERT was notified. However, a week later the domain name was restored to its prior host (220.127.116.11) and the cryptojacking campaign resumed. No reason was provided by the domain name registrar, Namecheap, as they repeatedly stated, "We have thoroughly investigated your allegation to the extent of our capabilities, but we were unable to validate your claim(s), unfortunately." They advised no further action will be taken unless they are provided with, "a court order issued by a U.S. court or law enforcement entity."
The Coinhive site key used on vuuwd[.]com, was also terminated on May 8, 2018. This was confirmed by checking the response sent from Coinhive's websocket servers using Fiddler.
The response clearly indicates the site key "KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6" is banned and no mining operations occur. However, the termination was short-lived as the Coinhive site key changed to "NApgnOcjBzLNCybG258355n0wQrqq3D4" when access was restored to vuuwd[.]com on May 16, 2018.
The Coinhive site key changed yet again on June 3, 2018 as replacement key "XpftuDpLA1PAP78Bse4lmhi86HHI4paS" was found on vuuwd[.]com.
The #Coinhive site key used in the vuuwd[.]com #cryptojacking campaign has changed to "XpftuDpLA1PAP78Bse4lmhi86HHI4paS" -- The previous key "NApgnOcjBzLNCybG258355n0wQrqq3D4" was removed around 2:00 AM UTC today. pic.twitter.com/9mJR8iYJ1g— Bad Packets Report (@bad_packets) June 3, 2018
No explanation was provided by Coinhive as to why they continuously give the same user a new site key to use for malicious purposes. Given Coinhive's previous abuse practices before the Brian Krebs investigation into their company, it's not surprising to see their lack of regard in this case.
The third and most recently discovered cryptojacking campaign injects Coinhive via upgraderservices[.]cf/drupal.js. This campaign consists of over 200 compromised websites including those of government and educational institutions. The full write-up on this campaign is detailed in the latest post on Bad Packets Report.
Website operators need to ensure they are using the latest version available of their CMS. All Drupal versions prior to 7.58 and 8.5.1 are vulnerable and are being actively exploited. Miscreants will continue to target outdated websites for cryptojacking operations as long as mining cryptocurrency is a viable income method.
While WHOIS data may be limited in nature, historical DNS records can provide valuable details. This is especially true when you need to establish a timeline of malicious activity tied to a domain name.
At SecurityTrails.com, we will continue to provide you with security research and tools that expand your OSINT toolkit.