Within days of Drupal patching a remote code execution (RCE) vulnerability in its platform, attackers have carried out many cryptomining attacks on Drupal-based sites, likely using PoC exploits released by some researchers.
The big picture - In exclusive research by Imperva, the security firm has identified more than 100 exploit attempts on Drupal sites. The vulnerability, CVE-2019-6340, allowed arbitrary code execution in the REST module in specific versions of the open-source content management platform.
After Drupal released a patch for the vulnerability, proof-of-concept (PoC) exploit codes were developed by other security firms which were still able to exploit the vulnerability. Usually, PoCs are meant to highlight the flaws and in some cases, provide temporary measures to block the attacks. In this case, attackers took advantage of this opportunity to target vulnerable Drupal sites, likely using the information gained from the PoCs.
The Proof-of-Concept Exploits
The bottom line - This vulnerability mainly affects Drupal 8, which forms a small fraction of the total number of Drupal-based sites.
Troy Mursch, co-founder of Bad Packets LLC, told ZDNet, "There are roughly 63,000 Drupal 8 sites around. Furthermore, only Drupal 8 sites where a certain combination of modules is enabled, are vulnerable, meaning that very few of these are actually vulnerable."
Drupal is expected to release another update in the coming days to fix this vulnerability.