Drupalgeddon2 Attack Puts Sites at Risk Worldwide

Skybox Blog TeamApril 26, 2018

Drupal, a popular open-source content management system (CMS) used by more than a million sites worldwide, published yesterday another security advisory rated as highly critical in response to the Drupalgeddon2 attack. This is the third security advisory from Drupal within the last 30 days.

  • Drupalgeddon2 Vulnerability

On March 28, Drupal published CVE-2018-7600. Dubbed Drupalgeddon2, the remote code execution vulnerability does not require user interaction. It stems from insufficient input sanitation on Form API (FAPI) AJAX requests. By exploiting this vulnerability, an attacker could carry out a full site takeover of any Drupal customer.

The vulnerability exists on all Drupal versions from 6 to 8, however the fix is available for versions 7 and 8 only.

On April 12, a Russian security researcher published proof-of-concept exploit code for Drupalgeddon2 on GitHub. Large-scale scanning and exploitation followed shortly after. This included reconnaissance efforts through simple echo statements or URL requests designed to verify exploitability, and malicious scripts installing backdoors and cryptocurrency miners.

On April 18, Drupal published another vulnerability, CVE-2018-9861, this time just a cross-site scripting.

Just a week later, on April 25, Drupal published CVE-2018-7602, another highly critical remote code execution vulnerability that does not require user interaction.

  • Who’s Behind Drupalgeddon2?

Several groups of malware campaigns seem to be exploiting Drupalgeddon2.

According to Volexity and GreyNoise Intelligence, one of the Monero cryptominer campaigns appears to be linked to the cybercrime group that exploited the vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware.

An additional campaign is spreading the Muhstik botnet, which is a variant of the Tsunami botnet. Muhstik’s has some noteworthy heft behind it:

  • Worm propagation
  • Use of seven exploits (six in addition to Drupalgeddon2 targeting Webdav, WebLogic, Webuzo, WordPress and others)
  • Financial motivation executed by xmrig, cgminer and DDoS for profit
  • Applications Affected by Drupalgeddon2

The following Drupal versions are affected by the vulnerability:

  • Drupal versions prior to 7.58
  • Drupal versions 8.0-8.3.8
  • Drupal versions 8.4-8.4.5
  • Drupal version 8.5-8.5.0

If you didn’t patch your Drupal CMS instance prior to April 13, 2018, there is very strong likelihood your web server has been compromised already. Recommendations have been made to examine web logs to see if exploitation has occurred against your server prior to April 13 as well.

  • How to Protect Against Drupalgeddon2

As the Drupalgeddon2 vulnerability is remotely exploited without user interaction, and it’s installed on web servers, it may be used as an easy entry point to the entire organizational network.

For Skybox Security customers, you should scan your network to make sure relevant Drupal versions all patched.

Drupal recommends updating the above versions to the latest released:

  • Drupal 7.58
  • Drupal 8.3.9
  • Drupal 8.4.6
  • Drupal 8.5.1

An important note: Drupal issued an update for versions 8.3x and 8.4x which are no longer supported, which indicates the severity of the vulnerability. Customers that still run Drupal 6, which is end-of-life, have some migration path under the Drupal 6 Long Term Support.

Related Posts

Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?

The Cryptomining Malware Family: Cryptomining malware comes in many shapes and sizes, from browser-based software to cryptocurrency wallet stealers and dedicated applications.

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More