Select Page

Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable.

Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal Core that could allow attackers to hack affected websites.

Despite releasing no technical details of the security vulnerability, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the Drupal security team rolled out the patched version of its software.

Now, security researchers at data centre security vendor Imperva discovered a series of attacks—that began just a day after the exploit code went public—against its customers’ websites using an exploit that leverages the CVE-2019-6340 security flaw.

The attacks originated from several attackers and countries have found targeting vulnerable Drupal websites, including sites in government and the financial services industry, that are still vulnerable to the recently patched Drupal Core vulnerability.

According to the researchers, the attacks started on February 23, just three days after the Drupal developers patched the vulnerability, and attempted to inject a JavaScript cryptocurrency miner named CoinIMP on the vulnerable Drupal websites to mine Monero and Webchain cryptocurrencies for attackers.

Similar to the infamous CoinHive service, CoinIMP is a browser-based cryptocurrency mining script that attackers injected into the index.php file of the vulnerable Drupal websites so that site visitors will run the mining script and mine cryptocurrency when they browse the site’s main page.

images from Hacker News