Cryptojacking Now Spreads to Drupal Content Management System

A recently-discovered vulnerability in Drupal, a content management system for web servers, was exploited by hackers in several occasions to mine cryptocurrencies, according toan analysisby a member of the SANS Technology Institute.

One of the most prominent attack vectors was a downloader that would dump the miner and then start it up.

“This exploit downloads a crypto coin miner and then, in a second attempt, starts it. These three commands are sent as two distinct exploit requests. We have seen a total of 3,814 requests,” wrote Johannes B. Ullrich, dean of research at SANS.

The fake request itself includes Baidu—a popular Chinese search engine—as its referrer, suggesting that the attacks are coming from an actor in that country.

It’s important to note, however, that putting Baidu’s URL as a referrer does not definitively prove that the hackers are Chinese.

Last year, we saw hackers using vulnerabilities in other content management systems like Wordpress to mine cryptocurrencies. This is the first time we see Drupal get hit.

This is similar to the explanation behind the lack of MacOS viruses in comparison to Windows.

Ullrich also notes that these exploits were designed to work with Drupal 8, although it’s also been adapted to work with version 7.

Since the exploit was discovered only last Friday, most websites running the CMS right now would still be vulnerable to it until they update their software.