Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware