Cybercriminals often target known and unknown exploits found in operating systems and web architectures. Evidently, someone took advantage of a recent Drupal exploit to mine cryptocurrencies in an illegal manner. Although the exploit was patched in late March, there are still some concerns over how exactly this exploit was leveraged.

A Drupal Exploit Enabled Crypto Mining

As is the case with any security exploit, the people responsible for maintaining the project’s code will try to address this issue as soon as possible. In a lot of cases, that is much easier said than done, as there are many potential repercussions to keep in mind. For the Drupal developers, addressing the most recently discovered critical exploit has been a painstaking process.

The exploit itself allows hackers to leverage remote code execution against the Drupal content management system. While a patch was issued on March 28 to address this problem, it is still up to website owners to manually install this new patch and fix the problem. It is also not the first time we’ve seen such issues affect the Drupal CMS, as a similar problem was detected in late 2014.

In an April 13 post, the Drupal team confirmed that automated attacks attempting to compromise Drupal 7 and 8 websites were taking place. This is the direct result of the patched vulnerability and the failure of site owners to install said patch. Any site not patched as of April 11 may still be vulnerable to this exploit, although it remains unclear how many sites this was affecting at the time of writing.

What makes this particular exploit so worrisome is that someone successfully leveraged this weakness to begin mining cryptocurrencies through Drupal sites. More specifically, an HTTP POST request can be made against such sites to download files and execute their contents accordingly. The number of payloads being distributed through this attack has grown to worrisome levels as well.

It seems most of the attacks have involved installing backdoors to existing systems and executing cryptocurrency miners. As one has come to expect when talking about malicious cryptocurrency use, there is a link to Monero mining. More specifically, it seems the cryptocurrency miner in question is XMRig, which has made quite a name for itself in the past few months.

Whether or not we will see more of these malicious mining attacks involving servers running Drupal remains to be determined. It is certainly possible that the worst is yet to come, as site and server owners are notoriously slow when it comes to updating their systems. Even though this Drupal exploit is well known by now, the public exploit code is currently circulating on the internet.