Source: Threatpost

The details: The NGO community is often the target of attack due to often outdated and underfunded security programs. Recently, the website of the Make-A-Wish Foundation has been “cryptojacked” to install the increasingly popular cryptomining script.

The hack involved hackers accessing the Make-A-Wish website through a Drupal vulnerability dubbed Drupalgeddon 2.A. The Drupalgeddon 2 attack takes advantage of Drupal installations that have not patched CVE-2018-7600 and CVE-2018-7602, two vulnerabilities that have already been targeted this year.

Why it matters: It's unfortunate that an organization like Make a Wish fell victim to an attack that used the deployment of a popular form of cryptomining script, called CoinImp. Using the coin mining script, users insert javascript code on a website in order to hijack or mine for cryptocurrency called webchain.network from users while they are visiting.

"What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” said Simon Kenin, a security researcher at Trustwave SpiderLabs. Attackers start by changing the domain name that hosts the JavaScript miner, which is itself obfuscated. The WebSocket proxy then uses different domains and IPs in order to make blacklist solutions obsolete.

The ability for the script to be obfuscated by traditional blacklist solutions, such as antivirus software and similar products, may result in an increase in attacks using this script.

The hacker’s perspective:

Tell Hause, Randori Security Researcher says,

"While it's not the most wholesome headline I've read recently, I don't believe that the attackers behind this attack were targeting Make-A-Wish any more than any other cooperation running outdated Drupal software. From the looks of the vulnerability exploited someone scoured the internet for unpatched Drupal versions and dropped this crypto-mining software on whatever they could. Given the low barrier to entry to push this kind of exploit it's surprising to see that it took this long for this to be noticed and remediated. Moreover, this and other reports like it continually show how hard it is to do configuration management and regular patching at scale."