Make-A-Wish Website Victim of Cryptojacking Attack

In a new low, cybercriminals recently compromised the website of the Make-A-Wish Foundation and embedded a script into it that used the computing power of visitors to the site to mine cryptocurrency, a process known as cryptojacking.

Researchers from Trustwave’s Spiderlabs discovered the compromise and reported it to Make-A-Wish. Though the foundation did not respond, the injected script has been removed from the site, the security vendor said in a blog last week.

The Make-A-Wish Foundation is a non-profit that is widely known for granting wishes to children with life-threatening illnesses. The foundation says that on average it helps make a child’s wish come true every 34 minutes. Thousands of people visit the organization’s site daily.

Simon Kenin, a security researcher at Trustwave, said the attackers likely exploited a critical and previously known bug in Drupal to embed the mining script on the Make-A-Wish website. One clue: The domain used for the cryptomining script in the attack previously has been associated with a campaign that exploited the Drupal bug, he said.

The remote code execution bug—popularly referred to as Drupalgeddon 2.0—was first disclosed in March and impacts sites running versions 6, 7 and 8 of the content management system. At the time, about 1 million websites worldwide were exposed to the vulnerability, which, among other things, allows attackers to access all non-public data on a website and to delete or modify all data on it at will. A security researcher discovered the highly critical flaw while conducting research into the general security of the Drupal platform.

Since the flaw was disclosed, a majority of sites running vulnerable Drupal versions have addressed the issue. But at least a few remain exposed to the threat—as the Make-A-Wish compromise demonstrated.

“It’s hard to tell how many websites are still vulnerable,” noted Karl Sigler, threat intelligence manager at Trustwave SpiderLabs. “While Drupal tracks the major versions that are installed, it’s hard to know how many of those might be unpatched.”

One noteworthy aspect about the cryptomining campaign involving the Make-A-Wish Foundation is that the attackers use different tactics to evade static detection systems, Trustwave said. The domain name that hosts the JavaScript miner for instance keeps changing, as do the domains and IPs that the WebSocket proxy uses. The goal appears to be to make blacklist approaches ineffective.

The key takeaway here for organizations is to always patch on time, Kenin said. “If you don’t manage the website yourself, make sure that whoever is patches in timely fashion.”

Cryptojacking and cryptomining continues to be a major problem for organizations, though the issue has received considerably less attention this year than it did in 2017.

In a recent report, security vendor Secureworks estimated that there has been little letup in malicious activity involving the use of cryptocurrency miners between 2017, when the issue impacted 1 in 3 organizations, and 2018. Though the value of major cryptocurrencies such as Bitcoin and Monero has tumbled steeply, many low- to mid-tier criminals are still widely engaged in cryptojacking and coin mining activities, Secureworks noted.

Many browser plugins are available that can block cryptojacking and cryptominers, Sigler said. “Organizations can also deploy secure web gateways that will help filter out malicious content from all of your client’s browsers.”

The attack on Make-A-Wish also illustrates the need for organizations to address the Drupalgeddon 2.0 flaw urgently if they haven’t done so already. One reason is that the flaw can be exploited to do more than just cryptojacking.

Exploting Drupalgeddon 2.0 gives attackers remote code execution capabilities. Since most of the time the code would be executed as the webserver, the attackers are only limited in what they can do by the scope of the website directory, Kenin said. Depending on the situation, an attacker can exploit the flaw to elevate privileges on a compromised system.

“If it is a shared hosting, he could have access to all the websites on the server,” he said. “If it is an organization’s server, he could achieve [a] foothold and do further lateral movement into other computers,” on the organization’s network.