Hackers are exploiting unpatched Drupal sites to mine cryptocurrency

Drupal Remote Code Execution

Internet firewall company, Imperva detected the attacks attempting to exploit the unpatched Drupal site and implanting a JavaScript cryptocurrency excavator called CoinIMP on the vulnerable site. This mining script works like the famous Coinhive, which uses the browsers of all site visitors to mine Monero cryptocurrencies for hackers.

Drupal Remote Code Execution

Imperva said the attack began on February 23, three days after the Drupal fixed the CVE-2019-6340 vulnerability, and two days after the PoC vulnerability code was available on different sites. Imperva said that the hundreds of attacks it detected were based on the PoC exploit development, which again proved that the release of PoC code primarily helped the attacker, not the site owner.

Attacks that exploit vulnerabilities to implant miners are not the first to appear. The Drupal Content Management System received two patches for Drupalgeddon 2 (CVE-2018-7600) and Drupalgeddon 3 (CVE-2018-7602) last year. Similar to last week’s incident, security researchers who analyzed the two vulnerabilities last year also released PoC code, which attackers used to launch attacks within a few days.