Computer hackers are abusing the CVE-2018-7600 Drupal vulnerability using a new exploit called Drupalgeddon2 to take down sites. The attacks target site instances running versions 6,7 and 8 of Drupal and use the same security vulnerability which was addressed back in March this year.
The CVE-2018-7600 Drupal Bug Abused in New Drupalgeddon2 Attack
An unknown criminal collective is taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was patched earlier this year. The new intrusion attempt is called the Drupalgeddon2 attack and according to the available research allows hackers to exploit the sites using a new strategy. The consequences are total control of the target sites including access to private data. The official description of the CVE-2018-7600 bug is the following:
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Several weeks after the issue was publicly announced several hacking groups attempted to exploit the issue. The hackers were able to find vulnerable sites which were all infected with backdoor viruses, miners and other malware code. This follow-up intrusion lead to the discovery of an alternative intrusion approach that became known as the Drupalgeddon2 attack against Drupal sites.
The analysts uncovered that the same HTTP POT request as the first attacks were used, the traffic analysis shows that similar contents was used. The end goal was to download a script written in the Perl language which triggers the download and execution of a backdoor. This malware script will connect the infected site to a IRC-based channel which will serve as the hacker-controlled server from where the various malicious actions will be orchestrated. A partial list includes the following capabilities:
- DDoS Attacks — Infected Drupal instances can be used by criminals to launch denial-of-service attacks against certain targets.
- Vulnerability Testing — The malicious code that infiltrates the Drupal sites can be programmed into analysing other Drupal for weaknesses. The most common mechanism is through a SQL injection weakness which looks for bugs in the way the sites interact with their databases. These are a very common mechanism for gaining administrative access.
- Miner Infection — The infected sites can be modified to include a cryptocurrency miner instance which will be executed in the web browsers of every visitor. Their machines through it will be instructed into running complex mathematical operations that will take advantage of the available system resources. Whenever successful tasks are reported the operators will receive an award in the form of digital cryptocurrency.
- Server Intrusion — The dangerous code can infect the servers hosting the Drupal instance with various malware. This is especially dangerous as it can lead to data harvesting of sensitive user information.
The security analysts shows that the one of the hacker collectives that are behind the Drupalgeddon2 attack are the same ones behind an Apache Struts vulnerability discovered last year. A follow-up to intrusion campaign was done in August via the CVE-2018-11776 bug.
All Drupal sites should be updated to the latest available version in order to protect themselves against hacker attacks.