Over 110,000 Drupal sites still vulnerable to Drupalgeddon 2 despite patches released months ago

In March this year, a highly critical vulnerability dubbed Drupalgeddon 2 was discovered that affected all Drupal sites. The flaw is considered to be the most severe vulnerability to affect the Drupal CMS since the original Drupalgeddon flaw first appeared in 2014.

After Drupalgeddon 2’s proof of concept code was published in April, hackers began exploiting the vulnerability, infecting servers with cryptojackers, coin miners, malware, backdoors and IoT botnet malware. The vulnerability essentially allows attackers to remotely hijack a site and execute malicious code without any authentication.

A patch to fix the issue was released and made available for Drupal CMS versions 6, 7, and 8.

However, according to a report by security researcher Troy Mursch, over 115,000 Drupal sites currently still remain vulnerable despite the patch having been released over two months ago, since they have not been patched.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world,” Mursch wrote in his blog. “Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.”

Attackers exploiting Drupalgeddon 2 have also begun expanding their cryptojacking campaigns.

Mursch uncovered a new cryptojacking campaign targeting Drupal sites. One of the sites affected by this new campaign included the website of a Belgium-based police department. During his attempt to discover sites compromised by the cryptojacking campaign, Mursch discovered another 258 compromised sites - one of which belonged to the Colorado Attorney General’s office.

Although it is highly crucial that owners of Drupal sites implement the latest patches to prevent any attacks, updating simply won’t be enough when it comes to sites that have already been compromised.

“Simply updating Drupal will not remove backdoors or fix compromised sites,” Drupal’s security PSA stated.“You should assume that the host is also compromised and that any other sites on a compromised host are compromised as well. If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.”

Despite the massive scale of vulnerable sites still online, according to Mursch, an ever larger number of sites have already patched the flaw. “Hopefully this becomes a trend as more sites continue to be updated,” Mursch said.