Drupalgeddon 2.0 vulnerability found being exploited by PerlBot

• Attackers leverage CVE-2018-7600 flaw to launch Shellbot malware in Drupal websites.
• A successful attack can allow attackers to steal data, host malicious content and launch additional attacks.

A new wave of cyber attacks targeting unpatched Drupal websites has been uncovered by security researchers. The attack leverages PowerBot malware and is primarily conducted on websites that are vulnerable to Drupalgeddon 2.0.

Researchers at IBM Security’s Managed Security Services discovered that the malicious actors are using the Internet Relay Bot, called PerlBot or Shellbot to gain complete control over the vulnerable Drupal websites. A successful attack can open a backdoor to the websites, allowing attackers to steal data, host malicious content and launch additional attacks.

“To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks,” said Noah Adjonyo and Limor Kessem in a blog post.

Modus Operandi

Researchers explained that the attackers leveraged a remote code execution(RCE) vulnerability dubbed as CVE-2018-7600 - also known as Drupalgeddon 2.0 - to launch Shellbot malware in Drupal websites.

Further investigation showed that the unpatched Drupal websites were also vulnerable to another highly critical RCE flaw, title CVE-2018-7602.

When the Shellbot is successfully executed on a website, it connects with Command & Control ((C2) ) server to receive instructions from its controller.

Commenting on the Shellbot’s properties, the researchers said, “The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.”

Mitigation

The Drupal security team is aware of the reported vulnerability CVE-2018-7600 since at least March 2018. Several security patches to fix the Drupalgeddon 2.0 vulnerability were also released eventually. The users are recommended to upgrade the older versions of Drupal 7 and 8 to 7.58 and 8.51 respectively.