Drupal vulnerability being used to install crypto miners as PoC exploit goes public
Most of you would be aware of WordPress, which is one of the most popular Content Management Systems (CMS). Just like WordPress, there is Drupal, an open source Content Management system used by over 1 million websites, including those run by governments and financial institutions.
Last month, Drupal’s security team released patch for a highly critical vulnerability (dubbed Drupalgeddon2), which if exploited could result in the remote attacker gaining complete control of the website.
Needless to say, all admins whose websites are running on Drupal are being advised to install the patch as quickly as they can. And this should be done on highest priority now (if not already) as researchers have released a proof of concept exploit for the vulnerability, meaning attackers can now easily use the vulnerability to gain control of your site.
In fact, attacks have already started happening, as it has been revealed that the vulnerability is being used to install miners for Monero cryptocurrency. Following is an excerpt taken from a thread on SANS ISC Infosec forums:
The exploit attempts are currently arriving at a pretty brisk pace. Here is one installing the standard xmrig Monero miner.
There are also similar reports on Twitter:
— Alexey Goncharov (@alyoshapotter) April 13, 2018
— SANS ISC (@sans_isc) April 13, 2018
Even the Who’s Who of the website industry are discussing the matter, advising people to install the patch as soon as possible. Here’s a tweet from VP of Engineering at GoDaddy:
1/2 It's been ~24 hours since the release of a public exploit for the Drupal RCE (CVE-2018-7600) https://t.co/1tfpH08Ohb
We are seeing 150 different IP addresses scanning and trying to exploit every Drupal site behind our network. If you didn't patch, consider yourself hacked.
— Daniel Cid (@danielcid) April 13, 2018
Drupal’s security team published a PSA yesterday, revealing they are aware of attacks using the vulnerability. The announcement also contains other useful information. Here’s an excerpt:
The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25
Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.
Simply updating Drupal will not remove backdoors or fix compromised sites.
If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.
You can access the complete PSA here.
Stay connected with us on Twitter (@PiunikaWeb) to hear about all related developments as and when they occur