- The amount of traffic and time of the year could have been the motivation for the attack
The practice of replacing revenue resources with cryptocurrency mining has become popular with smaller websites and not the big ones. A report shared by Trustwave SpiderLabs with Bleeping Computer says:
“The Cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner.”
The compromise is reported to have happened via a Drupal exploit since the website was apparently using an old version of the Drupal CMS that is vulnerable to CVE-2018-7600, which is a remote execution bug that is designed for marketing purposes as “Drupalgeddon 2.” When exploited successfully, the attacker gets the user’s access level and in the case of a web server it means the ability to become an administrator who can access and modify pages.
Hackers cast a wide net
In terms of cryptojacking attacks, the attackers embedded a short script into the compromised page so that it calls another server to get the real cryptocurrency mining script. The bug “confuses” the server by changing its address or causing it to bounce the connection off other servers. When visitors access the infected page, it activates the mining script and makes use of the visitor’s machine to mine cryptocurrencies for the attacker.
While it’s not clear exactly why the cybercriminals compromised the website of a charity organization that does acts of kindness to assist seriously ill children, Trustwave SpiderLabs intelligence manager Karl Sigler believes the Make A Wish website was caught in a wider net that were hunting for vulnerable websites that have high traffic rates.
It is also possible that the time of the year made choosing the Make-A-Wish website a target being that attackers love infecting sites and pages with huge amounts of traffic during such as charity organizations during the holiday season. Karl explained:
“It makes sense to me that it was more opportunistic, but there may be some vetting going on here,[…] after they cast their broad-based net they may have done some vetting to eliminate the small mom and pop sites that only get a few visitors.”