Hundreds of big-name sites hacked, converted into drive-by currency miners

A mass hacking campaign that targets a critical vulnerability in the Drupal content management system has converted more than 400 government, corporate, and university websites into cryptocurrency mining platforms that surreptitiously drain visitors’ computers of electricity and computing resources, a security researcher said Monday.

Sites that were hacked included those belonging to computer maker Lenovo, the University of California at Los Angeles, the US National Labor Relations Board, the Arizona Board of Behavioral Health Examiners, and the city of Marion, Ohio, Troy Mursch, an independent security researcher, told Ars on Monday.

The Social Security Institute of the State of Mexico and Municipalities, the Turkish Revenue Administration, and Peru’s Project Improvement of Higher Education Quality were also affected. The US had the largest concentration of hacked sites, with at least 123, followed by France, Canada, Germany, and the Russian Federation, with 26, 19, 18 and 17, respectively.

The sites all ran the same piece of JavaScript hosted on The highly obfuscated code caused visitors’ computers to dedicate 80 percent of their CPU resources to mining the digital coin known as Monero with no notice or permission. The attacker behind the campaign took control of the sites by exploiting a Drupal vulnerability that makes code-execution attacks so easy and reliable it was dubbed “Drupalgeddon2.” Although Drupal maintainers patched the critical flaw in March, many vulnerable sites have been slow to install the fix. The lapse touched off an arms races among malicious hackers three weeks ago.

“We’ve seen plenty [of] examples of Drupalgeddon 2 being exploited in the past few weeks,” Mursch wrote in a blog post published over the weekend. “This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

In an email sent Monday morning, Mursch said that some of the hacked websites were disinfected after his blog post went live. Cleaned up sites included the one belonging to the National Labor Relations Board. The hacking campaign, however, remained active and continued to compromise new sites. Over the weekend, Mursch counted 348 affected sites. By Monday morning, the number grew to more than 400. Among the newer infected sites was Other subdomains didn’t appear to be affected.

Multiple security firms have reported that large networks of infected computers and Internet-connected devices are mass-scanning the Internet in an attempt to identify vulnerable websites. When the botnets identify unpatched Drupal software, they run automated scripts that exploit the vulnerability. Besides using the flaw to run scripts that perform drive-by cryptocurrency mining on visitors’ computers, the hackers are also installing malware that can carry out Internet-degrading denial-of-service attacks on other sites. Drupalgeddon2 harkens back to a 2014 Drupal vulnerability dubbed Drupalgeddon, which also made it easy to commandeer vulnerable servers.

As if Drupalgeddon2 wasn’t bad enough, Drupal maintainers two weeks ago warned a new code-execution vulnerability is also being actively exploited online. The latest vulnerability is harder to exploit, because it requires code that’s customized to each site. Still, the potential for hacks that convert high-bandwidth websites into powerful attack platforms remains.

Anyone running a Drupal site that’s vulnerable to either exploit should patch their systems immediately. Drupal maintainers have published this FAQ page. Anyone administering a hacked site should remember that besides updating Drupal, the site will also have to be disinfected.

[ufc-fb-comments url=""]

Latest Articles

Related Articles