Hackers Inject Coinhive Malware into Hundreds of Websites

Coinhive is a powerful program that utilizes the computer resources of the machine its installed on, to mine for the privacy-centric cryptocurrency Monero. Publishers such as Salon have been using Coinhive as a means to drive revenue from visitors of their website, and UNICEF recently launched a website where users can visit and donate computer resources to mine crypto that’s intended to support children and families in need around the globe. However, Coinhive can be installed maliciously, which has led to a widespread issue called cryptojacking.

Cryptojacking, by definition, is an occurrence in which hackers and other cyber criminals maliciously install modified Coinhive code onto unsuspecting user’s computers through backdoor vulnerabilities, with the intent of hijacking computer resources to mine for cryptocurrency that is deposited back into the wallets of the hackers.

Troy Mursch, a security researcher who runs the website Bad Packets  – a site focused on “cryptojacking, botnets, network abuse, and other security topics” – has discovered a new cryptojacking campaign that has affected hundreds of websites using the popular content management system, Drupal.

Through a vulnerability in an older version of Drupal, hackers were able to inject malicious code into the websites of various government entities, universities, and many more. In total, over 300 websites have been affected by the cryptojacking campaign. Users visiting these websites will have their computer resources tapped to mine for crypto, though users are not likely to notice a difference which is why cryptojacking tends to go undetected for extended periods of time.

A full list of websites affected have been listed in a Google Sheet. Website operators that use Drupal as a content management system are encouraged to update to the latest version ASAP. Drupal has released a FAQ to assist in determining risk and how to take action in removing the malicious code. Bad Packets notes that updating the software will not remove the hack, and that further steps are required to remove the unwanted program – updating the software will prevent the vulnerability from being exploited again in the future.