Over the last year or so, cryptojacking—which forces your computer to mine cryptocurrency for bad guys when you visit an infected site—has become one of the internet’s most pervasive scourges. It’s shown up everywhere, even inside critical infrastructure. But its practitioners appear to have recently hit a new low, compromising the website of Make-A-Wish, the venerable charity that offers uplifting experiences for children with serious or terminal illnesses.
During a recent scan of infected sites, Trustwave SpiderLabs researcher Simon Kenin scrolled past a number of domains that had fallen victim to cryptojacking. Not so unusual these days, but one affected site jumped out at him: https://worldwish.org/en. That’s the home of Make-A-Wish International.
There’s nothing especially novel about the way hackers compromised the site. The Make-A-Wish site was built in part with Drupal, a popular open source content management system. In March, Drupal disclosed a critical vulnerability that allowed hackers to inject malicious code into sites that failed to install the available patch. Hundreds of sites fell victim this spring to the so-called Drupalggedon 2 bug, according to analysis by security researcher Troy Mursch, with well over 100,000 more potentially exposed. Make-A-Wish was one of them, likely caught in a widely cast net.
“Criminals are going to be running just some vulnerability scans,” says Karl Sigler, threat intelligence manager at Trustwave SpiderLabs. “They probably have some command line scanner that only scans for one specific, or two or three specific vulnerabilities, and then they just start tossing web server addresses at it.” Most of the process, from finding vulnerable sites to the actual exploit, is likely automated.
In the case of Make-A-Wish, the attackers used the unpatched Drupal bug to insert cryptomining software called CoinImp onto the site, which forced any visiting computers to mine the cryptocurrency Monero. (Thanks to its built-in privacy measures, Monero has become exceedingly popular among cryptojackers and on the dark web.)
“We are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,” says Make-A-Wish spokesperson Silvia Hopkins. “No donor information has been compromised by this incident. Make-A-Wish International’s ongoing dedication to maintain website security against third-party threats remain priority.”
The exact number of people impacted by this incident is likely unknowable, especially since it’s unclear exactly how long the CoinImp infection lasted. But anyone who visited the Make-A-Wish site during that time, for however long, would have had their CPU conscripted against their knowledge. Things would have gotten back to normal as soon as they closed the tab, or navigated to another page.
A better question, though, may be how many people are affected by this general wave of cryptojacking attacks that target vulnerable Drupal sites. While they seem to stem from a single group, or collection of actors, it’s elementary to pull off. “A lot of websites are using Drupal, and the exploit is publicly available in all kinds of forms,” says Sigler. “Really, anybody could be launching these attacks.”
The patch has been available for months, but companies and nonprofits can be slow to update their sites for a multitude of reasons. Sigler notes that a small IT department might not have the bandwidth to prioritize security, while multinational corporations may move slowly due to logistical pressures. Not fixing known problems in a timely manner, though, gives cybercriminals an almost unbeatable hand. Just ask Equifax.
How Serious Is This?
The good news is that Make-A-Wish didn’t lose any money in the process, and the CoinImp attack wouldn’t have affected the personal information of the charity’s donors and recipients. If you visited the site during the infection, your CPU got overtaxed while you were there. Not ideal, but almost certainly no long-term harm done.
The gravity, though, lies in the reminder of just how out of control cryptojacking has become, and how few limits criminals will put on where they deploy it. Whether it’s a water utility or one of the most beloved charities in the US, truly no site is safe. At least, not until they get on top of their patches.