Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
Recent attacks targeting Drupal instances vulnerable to Drupalgeddon 2 and Drupalgeddon 3 highlight the importance of identifying and patching vulnerable sites.
Hintergrund
In March 2018, Drupal published a security advisory, SA-CORE-2018-002 that addressed a critical Remote Code Execution (RCE) vulnerability with a CVE identifier of CVE-2018-7600. Tenable’s Security Response Team published a blog as well.
A few weeks after the publication of this security advisory, researchers at Check Point Software Technologies and Dofinity published “Uncovering Drupalgeddon 2.0,” providing technical details about CVE-2018-7600. The report included enough information that proof-of-concept (PoC) code began to appear on Github.
One month later, Drupal released SA-CORE-2018-004, a security advisory addressing CVE-2018-7602, another RCE vulnerability which became known as Drupalgeddon 3.
After PoC code for Drupalgeddon was released, attackers began leveraging these vulnerabilities in the wild to implant cryptomining scripts on websites (known as “cryptojacking”) as well as deliver backdoors and password stealing and Remote Access Trojan (RAT) malware.
Despite the availability of patches for both Drupalgeddon 2 and Drupalgeddon 3, there are still unpatched Drupal instances which are being targeted by cybercriminals.
Incident details
On November 19, Trustwave and Imperva published two separate blogs detailing recent attacks leveraging the Drupalgeddon 2 vulnerability.
Trustwave blogged about the discovery of a cryptomining script found on the Make-A-Wish international website which was linked to a known Drupalgeddon 2 campaign dating back to May 2018.
Imperva blogged about a campaign from the end of October that leveraged Drupalgeddon 2 and the Dirty COW (CVE-2016-5195) vulnerability to compromise systems in a persistent manner.
Both of these stories highlight ongoing efforts by cybercriminals to identify and target vulnerable Drupal instances and maintain persistence on compromised systems.
Urgently required actions
It is extremely important to identify Drupal instances that remain unpatched and apply the available patches for SA-CORE-2018-002 and SA-CORE-2018-004 immediately.
Identifizieren betroffener Systeme
A list of Nessus plugins to identify assets vulnerable to Drupalgeddon can be found here.
Weitere Informationen
- Drupal core - SA-CORE-2018-002
- Drupal core - SA-CORE-2018-004
- Critical Drupal Core Vulnerability: What You Need to Know
- Uncovering Drupalgeddon 2
- Hacker's Wish Come True After Infecting Visitors of Make-A-Wish Website With Cryptojacking
- DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers
- Large cryptojacking campaign targeting vulnerable Drupal websites
- Tweet from GreyNoise Intelligence
- A look into Drupalgeddon’s client-side attacks
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
How To Assess the Cybersecurity Preparedness of IT Service Providers and MSPs
December 13, 2022Improperly evaluating the cybersecurity capabilities of prospective IT service providers and managed service providers (MSPs) can put your organization's data and systems at risk. A new guide from CompTIA can help you ask the right questions.
Cybersecurity Snapshot: 6 Things That Matter Right Now
October 14, 2022Topics that are top of mind for the week ending Oct. 14 | DevOps team culture is key for supply chain security | SecOps gets more challenging as attack surface expands | Weak credentials hurt cloud security | Incident responders grapple with stress | Security spending grows | And much more!
A Holiday Story, Internet Edition: The Impact Of Assessing And Addressing Log4j Installations Proactively
December 30, 2021A look at our log4j data.
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Incident Response
- Threat Management
- Vulnerability Management