Drupal, a popular open-source content management system (CMS) used by more than a million sites worldwide, published yesterday another security advisory rated as highly critical in response to the Drupalgeddon2 attack. This is the third security advisory from Drupal within the last 30 days.

Drupalgeddon2 Vulnerability

On March 28, Drupal published CVE-2018-7600. Dubbed Drupalgeddon2, the remote code execution vulnerability does not require user interaction. It stems from insufficient input sanitation on Form API (FAPI) AJAX requests. By exploiting this vulnerability, an attacker could carry out a full site takeover of any Drupal customer.

The vulnerability exists on all Drupal versions from 6 to 8, however the fix is available for versions 7 and 8 only.

On April 12, a Russian security researcher published proof-of-concept exploit code for Drupalgeddon2 on GitHub. Large-scale scanning and exploitation followed shortly after. This included reconnaissance efforts through simple echo statements or URL requests designed to verify exploitability, and malicious scripts installing backdoors and cryptocurrency miners.

On April 18, Drupal published another vulnerability, CVE-2018-9861, this time just a cross-site scripting.

Just a week later, on April 25, Drupal published CVE-2018-7602, another highly critical remote code execution vulnerability that does not require user interaction.

Who’s Behind Drupalgeddon2?

Several groups of malware campaigns seem to be exploiting Drupalgeddon2.

According to Volexity and GreyNoise Intelligence, one of the Monero cryptominer campaigns appears to be linked to the cybercrime group that exploited the vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware.

An additional campaign is spreading the Muhstik botnet, which is a variant of the Tsunami botnet. Muhstik’s has some noteworthy heft behind it:

  • Worm propagation
  • Use of seven exploits (six in addition to Drupalgeddon2 targeting Webdav, WebLogic, Webuzo, WordPress and others)
  • Financial motivation executed by xmrig, cgminer and DDoS for profit

Applications Affected by Drupalgeddon2

The following Drupal versions are affected by the vulnerability:

  • Drupal versions prior to 7.58
  • Drupal versions 8.0-8.3.8
  • Drupal versions 8.4-8.4.5
  • Drupal version 8.5-8.5.0

If you didn’t patch your Drupal CMS instance prior to April 13, 2018, there is very strong likelihood your web server has been compromised already. Recommendations have been made to examine web logs to see if exploitation has occurred against your server prior to April 13 as well.

Drupalgeddon2 Daniel Cid Twitter

How to Protect Against Drupalgeddon2

As the Drupalgeddon2 vulnerability is remotely exploited without user interaction, and it’s installed on web servers, it may be used as an easy entry point to the entire organizational network.

For Skybox Security customers, you should scan your network to make sure relevant Drupal versions all patched.

Drupal recommends updating the above versions to the latest released:

  • Drupal 7.58
  • Drupal 8.3.9
  • Drupal 8.4.6
  • Drupal 8.5.1

An important note: Drupal issued an update for versions 8.3x and 8.4x which are no longer supported, which indicates the severity of the vulnerability. Customers that still run Drupal 6, which is end-of-life, have some migration path under the Drupal 6 Long Term Support.

Related Posts

Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?

The Cryptomining Malware Family: Cryptomining malware comes in many shapes and sizes, from browser-based software to cryptocurrency wallet stealers and dedicated applications.