Nearly 350 websites infected by in a mass cryptojacking campaign

In a mass cryptojacking campaign, over 300 websites using the Drupal content management system have been infected with cryptocurrency-mining malware.

Security researcher, Troy Mursch who is the brain behind the website Bad Packets Report, uncovered the malicious campaign involving the repeat offender Coinhive on Saturday. He said that many of the discovered websites were government and university sites from all over the world.

All websites were infected using the same method. A malicious code was injected into the JavaScript library of the website.

Cryptojacking is the term used by security researchers to refer to incidents when hacker inject a malicious code to mine cryptocurrency—essentially hacking the browser of a user to mint money at expense of his or her CPU power.

Mursch, in an interaction with Coindesk, said it was not as overt as ransomware—a practice when hackers encrypt user’s document and hold it ransom, but continues to be a problem.

"This is because Coinhive and other cryptojacking services are simply done with JavaScript. Every modern browser and device can run JavaScript, so as such, everybody can mine cryptocurrency and unfortunately Coinhive has been used and abused time and time again. [In] this particular case, Drupal users need to update [as soon as possible]," he said.

Mursch, in order to uncover the length and breadth of the scam, scanned hundreds of thousands of websites. “After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system,” he said.

“The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The unique domains were found in the United States and were hosted by Amazon.”

The affected sites include US government’s National Labour Relations Board, Government of Chihuahua, Mexico, University of Aleppo, etc. The full list of affected websites can be seen here.