• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Cyber Threat Defense

Cyber Security News

You are here: Home / Vulnerabilities / Drupal Vulnerable to Back Doors

Drupal Vulnerable to Back Doors

April 20, 2018 By News Team Leave a Comment

On March 28th, a patch for a vulnerability on Drupal was released to protect the Drupal content management system (Drupal 6, 7 and 8) against the bug that facilitates remote code execution. The Drupal vulnerability was tracked as CVE-2018-7600 and discovered by Jasper Mattson of Druid. Prior to release of the patch, Drupal gave advanced notice of its impending release and noted potential consequences linked to the ease of the vulnerability’s exploitation. This led to industry concern over a new “Drupalgeddon”, in which a large number of unpatched websites could be compromised.

In a PSA last week on its website, the Drupal team noted that: “The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25.” Drupal warned that sites that had not been patched by April 11th may be compromised. Drupal cautioned, “Simply updating Drupal will not remove backdoors or fix compromised sites.” They also told users that if their site is already patched, but they were not the ones to do it, that can be a symptom of a compromised site as previous attacks have applied the patch to ensure that only the attacker is in control of the site.

Others are calling the situation Drupalgeddon 2. While the majority of the online activity exploiting the vulnerability appears to represent scanning (to find vulnerable systems), attackers have additionally begun to exploit the flaw to install malware. The SANS Internet Storm Center discovered efforts to deliver a cryptocurrency miner, attempts to deploy a simple PHP backdoor, which lets attackers upload more files to the targeted server, plus an IRC bot written in Perl.

Imperva reported that it had found that 90% of the attack attempts were scanners, 3% were backdoor infection attempts, and 2% represented attempts to run crypto miners on the intended targets. They also noted that 53% of the attacks came from the U.S., with China following just behind at 45%.

Volexity has also been monitoring Drupalgeddon 2, and have linked one of the Monero miner campaigns to a group that managed to make over $100,000 in Monero last year in illicit cryptojacking campaigns.

Industry researchers initially expected exploits almost immediately following the release of the flaw online; however, the first attacks weren’t detected until two weeks later, following the making public of technical analysis and a proof-of-concept (PoC) exploit.

“It appeared every one of the black hats was waiting for someone else to do the research and share the exploit. Perhaps most hackers don’t care for the actual work of finding ways to exploit a vulnerability. They just wait until something is public and then use it to attack. Before that, we saw almost no traffic whatsoever!” Imperva said.

Filed Under: Vulnerabilities Tagged With: automated attacks, backdoors, CVE-2018-7600, Druid, Drupal, Drupal 6, Drupal 7, Drupal 8, Drupal websites, Drupalgeddon 2, Imperva, patches, proof-of-concept exploit, SANS Internet Storm Center, Volexity

Primary Sidebar

Recent Articles

  • How Profits Inspires Virus Developers
  • What’s Propelling A10 Networks Inc (NYSE: ATEN) After Higher Shorts Reported?
  • FacexWorm Targets Facebook Messenger
  • Cisco Systems Webex Flaws Allows Remote Users To Execute Code
  • Europe sees Radical Drop in DDoS Attacks Since Seizure of Webstresser Site

Categories

  • Application Security
  • Bitcoin
  • Bot Defense
  • Browser Security
  • Business Models
  • Critical infrastructure
  • Cryptocurrencies
  • Cryptojacking
  • Cryptomining
  • Cybercrime
  • cybersecurity
  • Data Breach
  • Data Theft
  • DDoS
  • Endpoint Security
  • Espionage
  • Feature
  • Firewall
  • Fraud
  • Government
  • Hacking
  • Hacking Tools
  • IoT
  • Layer7
  • Leaks
  • Malware
  • Mining
  • Mobile security
  • Point of Sale Devices
  • Quantum Encryption
  • Quantum Security
  • Ransomware
  • Routing
  • Uncategorized
  • Vault7
  • Vault8
  • Vulnerabilities
  • Wikileaks

Secondary Sidebar

Cyber Threat Defense.net | Copyright © 2019 All product names, logos, and brands are property of their respective owners. All company, product and service names used on site are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.