Governance & Risk Management , Patch Management

Websites Still Under Siege After 'Drupalgeddon' Redux

Unpatched Websites Provide Easy Targets for Attackers
Websites Still Under Siege After 'Drupalgeddon' Redux
Organizations running Drupal sites with known vulnerabilities that have been exploited include the Green Party of California. (Image: Malwarebytes)

Patching a content management system has never been a straightforward affair, and the carnage from back-to-back critical vulnerabilities in the Drupal CMS is still playing out.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Nearly two months after critical Drupal fixes were released, security firm Malwarebytes says it is still finding dozens of unpatched websites that have been exploited to host cryptocurrency miners or in other cases redirect to malware (see Cryptocurrency Miners Exploit Widespread Drupal Flaw).

The problems stem from two critical vulnerabilities in Drupal, both of which are remotely executable. That's a perfect combination for attackers: Give them a widely used piece of software such as Drupal, as well as known vulnerabilities that can be easily and remotely exploited without even needing to attempt to trick a victim into taking any action.

The first flaw, CVE-2018-7600, was revealed March 28, and the second, CVE-2018-7602, on April 25. The vulnerabilities were so severe that they were dubbed Drupalgeddon 2 and Drupalgeddon 3.

Although patches have been available since the vulnerabilities were publicized, attackers are still taking advantage of websites that haven't been upgraded.

"Rolling out a CMS is the easy part," writes Jerome Segura, lead malware intelligence analyst with Malwarebytes, in a blog post. "Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something and, of course, costs."

Outdated Installs

To count the number of Drupal sites that remain unpatched, Malwarebytes says it used Shodan, a search engine for internet-connected devices, and PublicWWW, a service that can search for specific code strings.

Malwarebytes counted 80,000 Drupal-using websites, of which 900 showed signs of tampering. Most of the 900, however, were Drupal installations that didn't appear to be production systems, Segura writes.

"Drupal is widely used by many government organizations around the world as well, and unfortunately we've seen quite a few of their sites not getting updated in a timely manner."
—Troy Mursch, Bad Packets Report

Some 30 percent of sites were running Drupal version 7.3.x, a release that dates to August 2015. About 47 percent were running 7.5.x, Segura says.

Following the discovery of the second flaw in April, Drupal warned that any users still on version 7 should be running 7.59, and all version 8 users should be running 8.5. Although Drupal no longer supports 8.4.x, it did release a patched version, 8.4.8, in an effort to avoid leaving those installations vulnerable.

Troy Mursch, an independent security researcher with Bad Packets Report, says the number of Drupal-using websites that are being compromised continues to rise despite patches having been issued two months ago.

"Drupal is widely used by many government organizations around the world as well, and unfortunately we've seen quite a few of their sites not getting updated in a timely manner," Mursch says. "I've said this many times now - if you use Drupal, it is extremely important to update to the latest version available as soon as possible."

Miners Come Calling

The Drupal vulnerabilities are a kind of two headed-snake: It's possible for attackers gain a foothold in server-side Drupal code as well as deliver malware or cryptocurrency miners on the client side.

On the client side, Segura says Malwarebytes found that of the production websites that are vulnerable to the two flaws and which have been exploited, the majority - around 81 percent - are delivering cryptocurrency miners.

Cryptocurrency miners are delivered invisibly through a browser tab as someone is visiting a site. They're not inherently harmful, but can eat up computing resources if they're configured to act aggressively. The miner generates hashes that contribute to a mining pool, which rewards this computation by giving back participants virtual currency.

Coinhive, the most common miner seen in these types of "cryptojacking" scenarios, mines for the privacy-focused virtual currency monero, Segura says, adding that Crypto-Loot is another common miner (see Cryptojacking: Mitigating the Impact).

These drive-by mining attacks tapered off earlier this year, Segura says. But they have recently surged, apparently driven by the easy exploitability of the Drupal flaws.

"Coinhive injections remain by far the most popular choice, although public or private monero pools are gaining traction as well," he says.

Social Engineering Attacks

More harmful campaigns have also been detected. Some of the hacked Drupal sites have been redirecting users to pages that try to convince them to download malware disguised as legitimate software.

Others have pushed potential victims to tech support scam sites, where victims are falsely warned that their computer is infected with malware and told they need to call a specified phone number, with the warning messages freezing a browser. Malwarebytes terms these kinds of ploys "browlocks."

If a victim calls, the tech support scam overcharges for questionable services that purportedly cleanse computers. The U.S Federal Trade Commission has filed legal action against tech support companies, but the ever-changing nature and sheer number of these types of groups makes enforcement an unending chase.

Consider Virtual Patching

Drupal websites that have fallen victim to attackers include the University of Southern California, Computerworld's website for Brazil, the Green Party of California and an Arkansas government site, among others, Malwarebytes says.

"We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections," Segura writes.

At a minimum, any site running Drupal should look to web application firewalls that can apply what's known as "virtual patching." That can filter out attack traffic targeting a specific vulnerability even if the software patch has not been applied, according to web application security organization OWASP's overview on virtual patching.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.