More Than 300 Drupal Sites Cryptojacked

An independent security researcher found that sites running outdated Drupal versions are getting hit with cryptojacking scripts from Coinhive.

What do the sites of the San Diego Zoo, the government of Chihuahua, Mexico, Lenovo, UCLA, and DLink have in common?

According to a discovery made by independent security researcher Troy Mursch, they’re all mining cryptocurrencies using their visitor’s computers unintentionally. He also discovered something else they shared that could explain how they all fell so easily to these attacks.

“While these [...] sites have no relation to each other, they shared a common denominator—they [...] are using an outdated and vulnerable version of the Drupal content management system. After I analyzed the IoCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world,” he wrote.

Although Drupal is not as wildly popular as WordPress, millions of sites still use the CMS for various purposes, ranging from institutional presentations to e-commerce sites. The latest version of the software should protect against this, but Mursch warns that this protection is not retroactive for sites that have already been affected by cryptojacking.

“The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively ‘unhack’ your website and you may need to take further remediation steps,” he added.

Finding the Coinhive script manually may be difficult because it is obfuscated by the hackers that implement it. Instead, website owners will have to go through their code line-by-line to look for references to CoinHive, “,” or any JavaScript that was added when problems appeared.

Less than a month ago, SANS dean of research Johannes B. Ullrich found signs that Drupal sites started getting hit with cryptocurrency mining exploits.

In his investigation, the attack came in the form of a downloader that would mine using the server’s computer as opposed to the client’s and used a referrer in its request from popular Chinese search engine Baidu.

We’re unsure what’s making hackers look at Drupal as a new favorite destination, but it may have to do with the fact that they’ve been crowded out by other cryptojackers. In that case, cryptocurrencies like Monero may have driven hackers into a frenzy and competing with each other for territory on exploitable websites.