Drupalgeddon2 Attack Puts Sites at Risk Worldwide

Skybox Blog TeamApril 26, 2018

Drupal, a popular open-source content management system (CMS) used by more than a million sites worldwide, published yesterday another security advisory rated as highly critical in response to the Drupalgeddon2 attack. This is the third security advisory from Drupal within the last 30 days.

  • Drupalgeddon2 Vulnerability

On March 28, Drupal published CVE-2018-7600. Dubbed Drupalgeddon2, the remote code execution vulnerability does not require user interaction. It stems from insufficient input sanitation on Form API (FAPI) AJAX requests. By exploiting this vulnerability, an attacker could carry out a full site takeover of any Drupal customer.

The vulnerability exists on all Drupal versions from 6 to 8, however the fix is available for versions 7 and 8 only.

On April 12, a Russian security researcher published proof-of-concept exploit code for Drupalgeddon2 on GitHub. Large-scale scanning and exploitation followed shortly after. This included reconnaissance efforts through simple echo statements or URL requests designed to verify exploitability, and malicious scripts installing backdoors and cryptocurrency miners.

On April 18, Drupal published another vulnerability, CVE-2018-9861, this time just a cross-site scripting.

Just a week later, on April 25, Drupal published CVE-2018-7602, another highly critical remote code execution vulnerability that does not require user interaction.

  • Who’s Behind Drupalgeddon2?

Several groups of malware campaigns seem to be exploiting Drupalgeddon2.

According to Volexity and GreyNoise Intelligence, one of the Monero cryptominer campaigns appears to be linked to the cybercrime group that exploited the vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware.

An additional campaign is spreading the Muhstik botnet, which is a variant of the Tsunami botnet. Muhstik’s has some noteworthy heft behind it:

  • Worm propagation
  • Use of seven exploits (six in addition to Drupalgeddon2 targeting Webdav, WebLogic, Webuzo, WordPress and others)
  • Financial motivation executed by xmrig, cgminer and DDoS for profit
  • Applications Affected by Drupalgeddon2

The following Drupal versions are affected by the vulnerability:

  • Drupal versions prior to 7.58
  • Drupal versions 8.0-8.3.8
  • Drupal versions 8.4-8.4.5
  • Drupal version 8.5-8.5.0

If you didn’t patch your Drupal CMS instance prior to April 13, 2018, there is very strong likelihood your web server has been compromised already. Recommendations have been made to examine web logs to see if exploitation has occurred against your server prior to April 13 as well.

  • How to Protect Against Drupalgeddon2

As the Drupalgeddon2 vulnerability is remotely exploited without user interaction, and it’s installed on web servers, it may be used as an easy entry point to the entire organizational network.

For Skybox Security customers, you should scan your network to make sure relevant Drupal versions all patched.

Drupal recommends updating the above versions to the latest released:

  • Drupal 7.58
  • Drupal 8.3.9
  • Drupal 8.4.6
  • Drupal 8.5.1

An important note: Drupal issued an update for versions 8.3x and 8.4x which are no longer supported, which indicates the severity of the vulnerability. Customers that still run Drupal 6, which is end-of-life, have some migration path under the Drupal 6 Long Term Support.

Related Posts

Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?

The Cryptomining Malware Family: Cryptomining malware comes in many shapes and sizes, from browser-based software to cryptocurrency wallet stealers and dedicated applications.

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions. Though you can't see our faces, rest assured: we're all really, really good looking.

Recent Posts

See the bigger picture to secure the distributed workforce
Read More
Transformation on a budget: supercharge your existing cyber defense tech stack
Read More
When lives are at stake, enhanced cybersecurity is paramount
Read More
See Around Corners to #BeCyberSmart
Read More
How to Protect Your IT Environment from Supply Chain Cybersecurity Risks
Read More
Know Your Asset Vulnerability Risk
Read More