On March 28th, a patch for a vulnerability on Drupal was released to protect the Drupal content management system (Drupal 6, 7 and 8) against the bug that facilitates remote code execution. The Drupal vulnerability was tracked as CVE-2018-7600 and discovered by Jasper Mattson of Druid. Prior to release of the patch, Drupal gave advanced notice of its impending release and noted potential consequences linked to the ease of the vulnerability’s exploitation. This led to industry concern over a new “Drupalgeddon”, in which a large number of unpatched websites could be compromised.
In a PSA last week on its website, the Drupal team noted that: “The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25.” Drupal warned that sites that had not been patched by April 11th may be compromised. Drupal cautioned, “Simply updating Drupal will not remove backdoors or fix compromised sites.” They also told users that if their site is already patched, but they were not the ones to do it, that can be a symptom of a compromised site as previous attacks have applied the patch to ensure that only the attacker is in control of the site.
Others are calling the situation Drupalgeddon 2. While the majority of the online activity exploiting the vulnerability appears to represent scanning (to find vulnerable systems), attackers have additionally begun to exploit the flaw to install malware. The SANS Internet Storm Center discovered efforts to deliver a cryptocurrency miner, attempts to deploy a simple PHP backdoor, which lets attackers upload more files to the targeted server, plus an IRC bot written in Perl.
Imperva reported that it had found that 90% of the attack attempts were scanners, 3% were backdoor infection attempts, and 2% represented attempts to run crypto miners on the intended targets. They also noted that 53% of the attacks came from the U.S., with China following just behind at 45%.
Volexity has also been monitoring Drupalgeddon 2, and have linked one of the Monero miner campaigns to a group that managed to make over $100,000 in Monero last year in illicit cryptojacking campaigns.
Industry researchers initially expected exploits almost immediately following the release of the flaw online; however, the first attacks weren’t detected until two weeks later, following the making public of technical analysis and a proof-of-concept (PoC) exploit.
“It appeared every one of the black hats was waiting for someone else to do the research and share the exploit. Perhaps most hackers don’t care for the actual work of finding ways to exploit a vulnerability. They just wait until something is public and then use it to attack. Before that, we saw almost no traffic whatsoever!” Imperva said.