Posted on November 20, 2018 at 3:13 PM
Cryptojacking has recently emerged as one of the most pervasive blights on the internet landscape in the past couple of years. Cryptojacking is when criminals make a computer carry out cryptocurrency mining for them. It is all pervasive and it seems that nobody is safe from this terrible scam – even the most innocent, and the latest victim is one of the world’s most well-known charities. The website of Make a Wish International, who arrange to make dreams come true for children who are suffering from a terminal illness or other serious sicknesses, has fallen foul of this heinous practice.
It is sadly not uncommon these days to come across infected domains, but a new scan revealed a surprising target in https://worldwish.org/en, the base of the well-loved children’s charity.
The way the hackers went about compromising the site is nothing special. The Make-A-Wish website was partly built with Drupal, a prevalent open source content management system. Drupal revealed a dangerous vulnerability in the spring, which enabled malicious codes to be injected into sites that had not installed the existing patch. Security researcher Tony Mursch reports that, since this announcement in March, The Drupalggedon 2 bug has thrown hundreds of sites into disarray, and that more than 10,000 further sites are almost certainly also unprotected. This bug does not choose or discriminate against certain sites which is how Make-A-Wish became one of those who were entangled in the net as it were.
One of Trustwave SpiderLab’s threat intelligence manager Karl Sliger suggests that criminals are only going to run a few vulnerability scans. Sliger says that it is likely that hackers are using some sort of command line scanner that only scans for a handful of particular vulnerabilities and that after the initial scan is made, they just start throwing random web server addresses at the scanner. He suggests that much of the whole process, from sourcing vulnerable sites to the actual criminal deed, is most probably automated.
CoinImp, which is a cryptomining software, was inserted by Drupal in the case of the Make-A-Wish exploit. This meant that any computers that visited the site, involuntarily mined the cryptocurrency Monero. This cryptocurrency has become extensively used on the dark web and by cryptojackers alike, due to boasting inbuilt privacy measures.
Make-A-Wish spokesperson Silvia Hopkins admitted that the charity’s website had suffered a vulnerability impact, but that this had now been fixed and removed. Ms. Hopkins assured donors that this unfortunate incident had not compromised any of their information at all and that cybersecurity remains a top priority which the charity remains dedicated to maintaining.
Who Else Has Been Affected?
It is unknown exactly how many people this incident has impacted, as experts are not clear as to precisely how long the infection perpetrated by CoinImp actually lasted. However, visitors to the Make-A-Wish site throughout that period will have suffered a conscription of their CPU conscripted without knowing. Once the tab was closed, or they navigated to another page, things would have gone back to normal.
A more relevant question, however, would be to ask how many people have these overall cryptojacking hijacks, who aim for vulnerable Drupal sites, affected altogether? Although they seem to originate from one group or a gathering of actors, it is easy for anyone to carry out. Trustwave SpiderLab’s Karl Sliger says that so many websites are incorporating Drupal and that the exploit is readily available in many different shapes and sizes. Realistically, “anybody could be launching these attacks.”
The patch has been obtainable for many weeks now. However, nonprofits and other companies do not always rush to update their sites for one reason or another. For example, a small IT department may not possess the bandwidth to make security a priority, and multinational corporations may be slowed by logistical pressures. A stitch in time saves nine though, and protecting and sorting out any issues quickly ensures that cybercriminals never get the upper hand.
Is This Very Serious?
No money was lost by Make-A-Wish in the whole unsavory procedure, and as Silvia Hopkins pointed out, the personal information of the charity’s recipients and donors was not affected by the CoinImp attack. CPU’s of site visitors during the infection would’ve unfortunately got overtaxed. This is clearly far from perfect, but at least no permanent damage has been done.
However, the severity of this attack sits in the reminder of just how rampant cryptojacking has become, and the fact that criminals do not place any limits on how or where they are willing to install it. Whether it’s a water utility or one of the US’s most cherished charities, it is clear that no site is free from this crime. So it is time they take a commanding control over their patches.