Hackers are increasingly exploiting a recently fixed vulnerability in the Drupal content management system that allows them to take complete control of powerful web servers, researchers from several security firms are warning.
At least three different attack groups are using “Drupalgeddon2,” the given name A very serious vulnerability Drupal maintainers patched at the end of March, researchers with Netlab 360 said Friday. Officially indexed as CVE-2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to gain complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run whatever code they want without having to have an account of any kind on the vulnerable website. The remote code vulnerability also dates back to a Drupal 2014 vulnerability that also makes it easy to command vulnerable servers.
Drupalgeddon2 “is under active attack, and every Drupal site behind our network is constantly being probed from multiple IP addresses,” Daniel Cid, CTO and founder of security firm Sucuri, told Ars. “Anyone who hasn’t been patched has already been hacked at this point. Since the first public release, we’ve seen this arms race between criminals as they all try to hack as many sites as possible. as they can.”
China-based Netlab 360, meanwhile, said at least three competing hacking groups were exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is used to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, called Muhstik after a topic it published in its code, relies on 11 separate command-and-control commands and IP addresses, presumably for redundancy in the event of a rescue.
Netlab 360 says that IP addresses that provide malicious payloads are widely dispersed and mostly run Drupal, an indication of virus-like behavior that causes infected sites to attack vulnerable sites that have not yet been infected. agreement. Viruses are among the most powerful types of malware because their self-proliferation gives them viral capabilities.
Adding an extra punch, Muhstik uses already patched vulnerabilities in other server applications in which event managers do not have to install fixes. Webdav, WebLogic, Webuzo, and WordPress are some of the other applications the group is targeting.
Muhstik has connections to Tsunami, a strain of malware that has been active since 2011 and infected more than 10,000 Unix and Linux servers in 2014. Muhstik has adopted some of the infection techniques found in Internet botnets. spur-of-the-moment. Disclosure methods include scanning for vulnerable server applications and probing servers for weak shell, or SSH, passwords.
The widespread abuse of Drupal servers goes back to the epidemic of Windows servers that were not eradicated a decade ago, which gave criminal hackers a hold on millions of PCs. Attackers will then use their distributed perches to launch new intrusions. Because web servers typically have much more bandwidth and computing power than PCs, server crashes are a very serious threat to the Internet.
Drupal maintainers have removed a critical vulnerability in both the 7.x and 8.x version families as well as the 6.x family, which maintainers stopped supporting in 2016. Maintainers that have not yet installed the patch should assume that their systems have been compromised and take immediate action to disinfect them.