![](\"https:\/\/media.wired.com\/photos\/5bf327a9fec8242d1ca66262\/master\/pass\/makeanotherwish.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Mon, 19 Nov 2018 21:37:46 +0000<\/strong><\/p>\n Over the last <\/span>year or so, cryptojacking<\/a>\u2014which forces your computer to mine cryptocurrency for bad guys when you visit an infected site\u2014has become one of the internet\u2019s most pervasive scourges. It\u2019s shown up everywhere, even inside critical infrastructure<\/a>. But its practitioners appear to have recently hit a new low, compromising the website of Make-A-Wish, the venerable charity that offers uplifting experiences for children with serious or terminal illnesses.<\/p>\n During a recent scan of infected sites, Trustwave SpiderLabs researcher Simon Kenin scrolled past a number of domains that had fallen victim to cryptojacking. Not so unusual<\/a> these days, but one affected site jumped out at him: https:\/\/worldwish.org\/en. That\u2019s the home of Make-A-Wish International.<\/p>\n There\u2019s nothing especially novel about the way hackers compromised the site. The Make-A-Wish site was built in part with Drupal, a popular open source content management system. In March, Drupal disclosed<\/a> a critical vulnerability that allowed hackers to inject malicious code into sites that failed to install the available patch. Hundreds of sites fell victim this spring<\/a> to the so-called Drupalggedon 2 bug, according to analysis by security researcher Troy Mursch, with well over 100,000 more<\/a> potentially exposed. Make-A-Wish was one of them, likely caught in a widely cast net.<\/p>\n \u201cCriminals are going to be running just some vulnerability scans,\u201d says Karl Sigler, threat intelligence manager at Trustwave SpiderLabs. \u201cThey probably have some command line scanner that only scans for one specific, or two or three specific vulnerabilities, and then they just start tossing web server addresses at it.\u201d Most of the process, from finding vulnerable sites to the actual exploit, is likely automated.<\/p>\n In the case of Make-A-Wish, the attackers used the unpatched Drupal bug to insert cryptomining software called CoinImp onto the site, which forced any visiting computers to mine the cryptocurrency Monero. (Thanks to its built-in privacy measures, Monero has become exceedingly popular<\/a> among cryptojackers and on the dark web.)<\/p>\n \u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d says Make-A-Wish spokesperson Silvia Hopkins. \u201cNo donor information has been compromised by this incident. Make-A-Wish International\u2019s ongoing dedication to maintain website security against third-party threats remain priority.\u201d<\/p>\n The exact number of people impacted by this incident is likely unknowable, especially since it\u2019s unclear exactly how long the CoinImp infection lasted. But anyone who visited the Make-A-Wish site during that time, for however long, would have had their CPU conscripted against their knowledge. Things would have gotten back to normal as soon as they closed the tab, or navigated to another page.<\/p>\n A better question, though, may be how many people are affected by this general wave of cryptojacking attacks that target vulnerable Drupal sites. While they seem to stem from a single group, or collection of actors, it\u2019s elementary to pull off. \u201cA lot of websites are using Drupal, and the exploit is publicly available in all kinds of forms,\u201d says Sigler. \u201cReally, anybody could be launching these attacks.\u201d<\/p>\n The patch has been available for months, but companies and nonprofits can be slow to update their sites<\/a> for a multitude of reasons. Sigler notes that a small IT department might not have the bandwidth to prioritize security, while multinational corporations may move slowly due to logistical pressures. Not fixing known problems in a timely manner, though, gives cybercriminals an almost unbeatable hand. Just ask Equifax<\/a>.<\/p>\n The good news is that Make-A-Wish didn\u2019t lose any money in the process, and the CoinImp attack wouldn\u2019t have affected the personal information of the charity\u2019s donors and recipients. If you visited the site during the infection, your CPU got overtaxed while you were there. Not ideal, but almost certainly no long-term harm done.<\/p>\n The gravity, though, lies in the reminder of just how out of control cryptojacking has become, and how few limits criminals will put on where they deploy it. Whether it\u2019s a water utility or one of the most beloved charities in the US, truly no site is safe. At least, not until they get on top of their patches.<\/p>\n