One or more unscrupulous floggers loaded the Make-A-Wish Foundation's international website with cryptographic malware scripts.
Researchers with Trustwave claim that the (now clean) site of WorldWish.org was compromised by a Drupal exploit and sown with malicious JavaScript that inserted CPU cycles of visitors' machines to generate cryptocurrency.
It appears that the site is using a previous version of Drupal CMS vulnerable to CVE-2018-7600, the remote code execution error known for marketing purposes such as "Drupalgeddon 2." The successful exploit of the vulnerability gives an attacker the access level of the current user and, in the case of Web servers, this means the ability to access and edit pages.
In the context of a cryptographic attack, a short script is embedded in the compromised page that calls another server to get the true and low-cryptographic script. That server can also be obfuscated by changing its address or bouncing the connection from other servers. When a user visits the infected page, the mining script is called and the user's machine is used to generate cryptocurrency for the malicious user.
Having been widely released since May, the Drupal bug is now easy to scan and target by attack, thanks to the readily available exploit scripts. This means that anyone from inexperienced cyber criminals to large organized groups could be behind the attack.
It is not clear what exactly motivated the entire scum to choose to compromise the website of a charity organization that performs acts of kindness for seriously ill children, but the threat intelligence officer Trustwave SpiderLabs , Karl Sigler, he said El Reg that the site was probably captured in a larger network looking for vulnerable sites that also had high traffic rates.
"It makes sense to me that it was more opportunistic, but there might be some evidence going on here," explained Sigler.
"After launching their large-scale network, they may have made checks to eliminate small mom and pop sites that receive only a few visitors."
The period of the year could also have had something to do with the dirt that chose Make-A-Wish as a goal. Sigler said that during the holiday season, attackers tend to try to infect sites and pages that get large amounts of traffic, and charity organizations are a particularly good target (as long as one is free from the moral and basic sense) human decency.)
"As far as we know, this is a poor administrator who tries to run an international website with many users," explained Sigler.
"We have seen over and over again where security is neglected".
Protecting from attack is simple enough: make sure that Drupal (and all other web server apps) are up to date and completely correct. Administrators should also keep an eye on any unusual changes or activities on their pages that may report an attack. ®