One or more completely feckless scumbags have loaded the Make-A-Wish foundation's international website with crypto-mining malware scripts.
It seems that the site was using an older version of the Drupal CMS that was vulnerable to CVE-2018-7600, the remote code execution bug known for marketing purposes as "Drupalgeddon 2." The successful exploit of the vulnerability gives an attacker the current user's access level and, in the case of web servers, this means the ability to access and modify pages.
In the context of a crypto-jacking attack, the compromised page has a short script embedded into it that calls another server to get the actual cryptocoin mining script. That server can also be obfuscated by changing its address or bouncing the connection off other servers. When a user visits the infected page, the mining script is called and the user's machine is used to generate cryptocurrency for the attacker.
Having been widely reported since May, the Drupal bug is now easy to scan for and target for attack, thanks to readily available exploit scripts. This means anyone from novice cybercriminals to large, organized groups could be behind the attack.
It's not clear what exactly motivated the utter scum to chose to compromise the website of a charity that performs acts of kindness for seriously ill children, but Trustwave SpiderLabs threat intelligence manager Karl Sigler told El Reg that the site was likely caught in a wider net looking for vulnerable sites that also happened to have high traffic rates.
"It makes sense to me that it was more opportunistic, but there may be some vetting going on here," Sigler explained.
"After they cast their broad-based net they may have done some vetting to eliminate the small mom and pop sites that only get a few visitors."
The time of year might also have had something to do with the filth choosing Make-A-Wish as their target. Sigler said that during the holiday season attackers tend to look to infect sites and pages that get high amounts of traffic, and the sites of charity organizations are a particularly good target, (so long as one is unhindered by morals and a sense of basic human decency.)
"For all we know this is one poor administrator trying to handle an international website with a lot of users," Sigler explained.
"We have seen time and time again where security gets overlooked."
Protecting against the attack is easy enough: Make sure Drupal (and all other web server apps) are updated and fully patched. Admins should also keep a close eye on any changes or unusual activity on their pages that could signal an attack. ®