After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining.
Their efforts and expectations were fully rewarded, as the two vulnerabilities —CVE-2018-7600 and CVE-2018-7602— left over one million websites vulnerable to hacks if they didn't receive immediate updates.
Some webmasters updated their sites, but many didn't, and those websites quickly fell victims to backdoors and coinminers shortly after the publication of proof-of-concept attack code.
Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground —and two of them have been spotted the past week.
348 Drupal sites running an in-browser miner
The most recent of these campaigns has been discovered by US security researcher Troy Mursch.
The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery.once.js?v=1.2," loaded on each of the compromised sites.
Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.
Among victims, there are many government and university portals, such as the National Labor Relations Board (US federal agency), the Turkish Revenue Administration, the University of Aleppo, and others, which Mursch has recorded in a Google Docs spreadsheet.
"Kitty" malware campaign hits Drupal sites
But before's Mursch's discovery, cyber-security firm Imperva also found another malware operation targeting Drupal sites, which they named the "Kitty" campaign because crooks hid an in-browser cryptocurrency miner inside a file named "me0w.js."
Crooks didn't use a version of the Coinhive in-browser miner for these attacks but instead used a similar product provided by legitimate Monero mining pool service webminerpool.com.
The Imperva team didn't share the number of sites affected by this campaign but said crooks didn't limit themselves to dropping an in-browser miner only.
They also installed a PHP-based backdoor on all compromised servers —for future access, even if the server owner updated his site— and a classic coinminer that utilized the underlying server's resources to mine Monero, instead of the users' browsers.
Imperva says the Monero address used in the Kitty campaign had also been spotted at the start of April in another series of hacks that targeted servers running vBulletin 4.2.x forums.
"The first generation of the 'Kitty malware' we discovered was version 1.5, and the latest version is 1.6," Imperva said in a report published last week. "This type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles."
The Drupal bugs disclosed in the past two months have received a lot of media attention, and for good reasons, as they allow an attacker easy access to vulnerable sites. While campaigns are still raging, it is important to remember that updating a hacked site is not enough. Site owners should also scan for backdoors and consider restoring from an older backup or reinstalling the site from scratch.