What is Drupalgeddon and what kind of targets does it go after?
There appears to be a rise in attacks on websites including WordPress that use the Drupal software. The sites use Drupal in order to manage web content, images, texts and videos. Attackers are continuously exploiting Drupal and mapping a new threat in order to perform their nefarious activities such as stealing data, hosting malicious content or launching additional attacks. Lately, hackers have been leveraging the Drupalgeddon vulnerability in order to gain more out of the attacks.
The first instance of leveraging Drupalgeddon vulnerability was cited in 2014 after 12 million websites using the Drupal software were compromised in a massive hack. These attacks appear to be a financially motivated effort to mass-compromise websites.
What is Drupal?
Like WordPress, Drupal is a content management system (CMS) used widely by people for creating and maintaining websites and application for all sort of purposes. Drupal is an open source and is maintained by a community of users.
Given its usage across a large number of websites, the CMS becomes a juicy target for cybercriminals. Attackers can easily look out for vulnerabilities such as unpatched or outdated software and compromise as many websites as possible.
Millions of websites compromised in 2014 due to a Drupal flaw
A bug in version 7 of the Drupal software resulted in a massive hack of up to 12 million websites. A highly critical SQL injection vulnerability - CVE-2014-3704- was spotted in the Drupal version 7. The flaw allowed the hackers to gain elevated privileges and steal information. The flaw even enabled hackers to plant malicious code or backdoors on servers running the vulnerable apps.
“The so-called 'Drupalgeddon' vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit the flaw, the chance of exfiltration of data or further exploitation is high,” said Gavin Millard, EMEA Technical Director at Tenable Network Security, The Register reported.
Drupalgeddon 2.0 vulnerability first came into notice in early 2018. The flaw’s notoriety was highlighted by researcher Troy Mursch, who scanned nearly a half-million Drupal websites and found that around 115,000 sites were vulnerable to Drupalgeddon 2.0.
Drupalgeddon 2.0 is an alias for Drupal vulnerability SA-CORE-2018-002. It is associated with CVE_2018-7600, a remote code execution vulnerability found in several variants of Drupal, including 8.5 prior to 8.5.1, 7.x prior to 7.58 and all version of Drupal 6.
Researchers at IBM Security’s Managed Security Services found that the attackers leveraged the vulnerability to launch Shellbot malware in vulnerable Drupal websites. When the Shellbot is successfully launched on a website, it connects with C2 server to receive instructions from attackers.
Although the Drupalgeddon vulnerability has not been exploited in the wild, it is believed that the cybercriminals can leverage the flaw to grab more unpatched websites in the future. Hence it is very necessary for the users to follow a few simple and basic security tips in order to mitigate the risk. This includes:
- Using updated protocols such as HTTPS.
- Updating the CMS to recent version.
- Performing input validation checks on all web applications in order to make sure that no shell commands cannot be executed by outsiders.
- Implementing Two-Factor authentication (2FA) to protect your accounts.