Attackers Still use Drupalgeddon2 Vulnerabilities for Cryptojacking

A vulnerability in Drupal’s content management system was found weeks ago, but as with many patches site owners either don’t know that they need to patch their software or they disregard it as unnecessary.  Unfortunately, this is the crux of a widespread problem in recent days that indicate more attackers are using the Drupalgeddon2 exploit to inject cryptojacking code that silently uses viewer computers to mine cryptocurrency.

What is Cryptojacking?

Cryptojacking is a new attack meant to mine digital currency for the attacker. Mining cryptocurrency requires computer resources. These resources limit the amount of currency a miner can obtain from answering computational questions. When these mathematical equations are answered, the miner earns a crytocurrency of his choosing. With Drupalgeddon2, miners usually earn Monero, which is a cryptocurrency that promises anonymity in transactions.

Using computer resources costs electricity, and these electricity costs can skyrocket when mining cryptocurrency. Miners can join groups and pool resources, but even these groups have limited resources. Cryptojacking gives miners a way to pool potentially thousands of computers and using their resources to mine cryptocurrency, which could earn an attacker thousands in digital currency.

The attack vector is usually injected JavaScript on a compromised website. Some sites even host cryptojacking ads unknowingly. There are no signs that a computer or server has been compromised. Users experience extreme sluggishness on their computer and assume it’s crashing. They could close the browser or reboot the computer and the issue disappears until they access the same site again.

Why is Cryptojacking Dangerous for Businesses?

On the surface, cryptojacking seems like the least of any IT administrators worries. Most exploits are dangerous because the business loses data or an attack is used to leave backdoors and malicious applications on the network such as ransomware. Cryptojacking is dangerous because of the resources used on the computer, which can in turn increase utility bills for the corporation. Usually, it’s not just one computer compromised on the network — it’s dozens or hundreds of users with cryptojacked browsers running mining operations. It can increase your utility expenses by thousands of dollars.

Not only can cryptojacking increase utility bills but it can also reduce productivity. User computer resources are drained, so the network and the local machine run much more slowly. The sluggishness on the computer reduces overall productivity, so again it can take another toll on your revenue in an indirect way.

With the latest exploit affecting Drupal websites, a patch has been deployed months ago but many site owners have not taken the time to patch their sites. One victim of the exploit was Lenovo. When users visited Lenovo’s site, they unknowingly ran cryptojacking code that stole resources and mined digital currency for the attacker. Since Lenovo is a popular site, it’s possible that the attackers were able to get millions of users to run silent JavaScript and mine potentially millions of dollars worth in mining digital currency.

Protecting Your Corporation from Insider Threats

It isn’t always outsiders attacking corporate resources. Attackers can also come from within. Employees can add JavaScript through code injection or other ways to create cryptojacking resources on the network. The result is that you could be running a mining operation without your knowledge. This can mean that the costs of doing business skyrocket.

Some antivirus applications block cryptojacking. But because the attack is still in its infancy it isn’t always caught by traditional anti-malware scripts. The best way to defend against these attacks is through user education. Educate them to avoid sites that they are unfamiliar with and don’t click links from unreliable sources. Read about other threats from the far side of the world.

For more ways to protect from internal attackers, see how the GateKeeper 2FA token can help. You can use proximity-based authentication to protect access to computers, websites, and desktop applications. It can also be used to protect access to crypto hardware wallets.

Capterra Best Value for Authentication Jun-20
Capterra Ease of Use for Authentication Jun-20

See GateKeeper proximity access control in action.

Take a self-guided tour of how your proximity-based access control can work.