Cyber Incident Victim: Make-A-Wish Foundation
Date:
Nov 2018
Location:
United States of America
Summary
Attackers exploited a critical vulnerability in the Drupal content management system to compromise the Make-A-Wish Foundation's website, injecting a cryptojacking script that covertly utilized visitors' computing resources to mine cryptocurrency. The malicious payload, hosted on a domain linked to prior cybercriminal activity, employed dynamic domain changes and WebSocket communications to evade detection mechanisms. While the charity's site no longer hosts the script, the incident highlights broader challenges in distinguishing malicious cryptojacking from legitimate resource usage, particularly as threat actors increasingly target high-traffic platforms for unauthorized cryptocurrency operations. The attackers leveraged a known campaign infrastructure tied to outdated Drupal installations, demonstrating persistent exploitation of unpatched systems despite public disclosure of the vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 19, 2018, the Make-A-Wish Foundation’s website, ‘worldwish.org,’ was compromised by attackers exploiting the critical Drupal content management system vulnerability known as Drupalgeddon 2 (CVE-2018-7600). This vulnerability, affecting Drupal versions spanning a decade, allowed remote code execution. Attackers injected a cryptocurrency mining script hosted at ‘drupalupdates[.]tk,’ a domain associated with malicious campaigns leveraging this specific flaw. The script deployed was CoinIMP, a JavaScript-based web miner designed to harness visitors’ computing resources to generate cryptocurrency revenue. Trustwave SpiderLabs researchers identified the compromise, noting the attackers employed evasion techniques to bypass static detection methods, including dynamically changing the domain hosting the miner script and utilizing WebSocket connections across multiple domains and IP addresses to circumvent blacklisting. The Drupalgeddon 2 vulnerability had been publicly disclosed in April 2018, with proof-of-concept exploit code rapidly weaponized by threat actors to deploy backdoors and cryptojacking payloads. Despite Trustwave’s attempt to alert Make-A-Wish about the compromise, no response was received. Subsequent analysis confirmed the cryptomining script was removed from the website, though the timeline and method of remediation were not publicly disclosed.
The incident impacted visitors to ‘worldwish.org,’ whose systems’ computational resources were covertly utilized for cryptocurrency mining without consent or notification. This unauthorized resource usage raised ethical and legal concerns, as legitimate in-browser mining typically requires explicit user agreement. The attack highlighted the persistent targeting of high-traffic websites vulnerable to Drupalgeddon 2, particularly those lacking timely patches. While cryptojacking for revenue generation had gained traction among smaller websites and even some legitimate entities like Unicef AU’s ‘TheHopepage.org’—which transparently employed CoinHive mining for fundraising—the Make-A-Wish compromise exemplified malicious exploitation without user awareness. Trustwave’s report emphasized the challenge of distinguishing between malicious cryptojacking and authorized mining operations in the absence of clear disclosure. The removal of the script curtailed further resource misuse, but the lack of engagement from Make-A-Wish left unanswered questions regarding initial infection vectors, duration of compromise, and potential secondary payloads. The event underscored the broader trend of attackers monetizing web compromises through cryptojacking amid fluctuating cryptocurrency values.