Cryptocurrency Miners Exploit Latest Drupal FlawPatch Now to Block Remote Code Execution Exploits of Content Management System
Hackers wasted little time before trying to turn a "highly critical" vulnerability in the Drupal content management system to their advantage.
Just three days after Drupal warned of the vulnerability and issued patches, attackers began exploiting the flaw to install cryptocurrency miners and other malicious software on vulnerable sites, security experts warn (see: Hackers Target Fresh Drupal CMS Flaw to Infiltrate Sites).
"We've found dozens of attack attempts aimed at dozens of websites that belong to our customers using this exploit, including sites in government and the financial services industry," Edi Kogan, a researcher at security firm Imperva, says in a blog post.
The index.php file is what gets first loaded whenever someone visits a website. Cryptocurrency mining malware, meanwhile, refers to any code that uses an infected system's CPUs to "mine" for cryptocurrency by solving computational challenges that build the virtual currency's blockchain in return for a potential reward (see: Malware Moves: Attackers Retool for Cryptocurrency Theft).
Critical Security Fixes
On Feb. 20, the project team behind the Drupal open source CMS software released security updates, warning that they patch a vulnerability, designated CVE-2019-6340, that attackers could use to remotely execute code and potentially take full control of a vulnerable system.
These "critical releases" update Drupal 8.6.x to Drupal 8.6.10, and Drupal 8.5.x or earlier to Drupal 8.5.11.
The Drupal project team recommends that all users immediately apply the updates. "Be sure to install any available security updates for contributed projects after updating Drupal core," the Drupal team says. "No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates."
Many Drupal users will need the update because the flaw exists in web services functionality. "The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module," Branden Lynch, a threat analyst at security firm Trend Micro, says in a blog post.
A proof-of-concept exploit for the flaw was first published on Thursday.
Researchers say the flaw is easy to exploit. "An attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the 'options' field for the link," Lynch says.
The link can be used to execute any command, "including downloading a web shell or establishing persistence on the target via malware or other means," he says. "All executed commands will inherit the privileges of the user running Drupal."
Mitigation Warning: Workarounds Aren't Foolproof
Lynch cautions that the exploit continues to work even for sites that have yet to install updates but have applied Drupal's recommended workarounds to at least mitigate the flaw. Those workarounds involve disabling all web services modules or else configuring services to not allow PUT, PATCH or POST requests to web services resources.
Even with such mitigations in place, "it is still possible to issue a GET request and therefore perform remote code execution, as was the case with the other HTTP methods," he warns.
Some other types of defenses, such as using web application firewalls, can block these types of attacks, he adds.
On Friday, less than 48 hours after Drupal released its latest security updates, independent security researcher Troy Mursch of Bad Packets Report warned that he had already seen numerous attackers scanning for Drupal sites that were vulnerable to CVE-2019-6340.
Popular Hacking Target
Following WordPress and Joomla, Drupal is the world's third most popular content management system, commanding 4 percent market share, according to W3Techs.com.
More than 1 million websites use Drupal, according to the Drupal project team.
Given Drupal's wide installation base, Imperva's Kogan says the CMS remains a popular attack target. "As always, attacks followed soon after the exploit was published. So being up to date with security updates is a must," he says.
Attacks against Drupal have been escalating in recent years, reaching a peak in 2018 after vulnerabilities with such names as DirtyCOW and Drupalgeddon 1, 2 and 3 were revealed (see: Websites Still Under Siege After 'Drupalgeddon' Redux).
"These were used in mass attacks that targeted hundreds of thousands of websites," Kogan says.
Mursch of Bad Packets Report say attackers are continuing to scan not just for the latest vulnerability, but also older flaws, suggesting that numerous site administrators have yet to apply them.
WARNING— Bad Packets Report (@bad_packets) February 26, 2019
Incoming scans detected from 188.8.131.52 checking for #Drupal sites vulnerable to CVE-2018-7600.
This vulnerability, dubbed Drupalgeddon 2, allows remote attackers to execute arbitrary code.
Proof of concept by @g0tmi1k: https://t.co/lYbRdpJh5Z pic.twitter.com/xOknCmyDCt