Recently discovered vulnerabilities in the Drupal content management system, identified as CVE-2018-7600 and commonly referred to as “Drupalgeddon2,” have raised significant concern due to their potential for enabling attackers to seize control of affected websites. Exploitations leveraging this vulnerability have reportedly emerged in the wild, with malicious actors deploying backdoors and cryptocurrency mining software on compromised systems.
This critical remote code execution vulnerability was uncovered merely two weeks ago and has since been patched by Drupal developers, though details surrounding the exploit were withheld during the initial response. However, attention shifted rapidly when security researchers shared comprehensive details of the vulnerability, prompting the subsequent release of proof-of-concept exploit code. This led to aggressive Internet scanning and exploitation efforts.
Initially, reports indicated a lack of confirmed exploit attempts targeting systems; however, within days, various cybersecurity firms detected a marked uptick in malicious activities aimed at deploying cryptocurrency miners and other payloads onto vulnerable websites. The SANS Internet Storm Center identified such attacks, which included installation of PHP backdoors, IRC bots, and a cryptocurrency miner.
The PHP backdoor in question grants attackers the ability to upload further malicious files onto the compromised server, exacerbating the infection risk. Analysis from SANS ISC Infosec forums suggests that this vulnerability is being exploited to facilitate the installation of XMRig, a Monero mining application, alongside scripts designed to disrupt competing miners already running on the targeted systems.
Further investigations by Volexity have revealed varied activities linked to the public exploit, highlighting a spectrum of malicious scripts aimed at introducing backdoors and cryptocurrency miners into the compromised sites. These findings indicate the likelihood that a specific group, previously associated with exploiting vulnerabilities in Oracle WebLogic servers, is behind the mining campaigns, having reportedly amassed a substantial sum of Monero from similar exploits.
Data from Imperva confirms that the majority of Drupalgeddon2 attacks, approximately 90%, were related to basic IP scanning efforts searching for vulnerable systems. A smaller portion—about 5%—includes attempts to introduce backdoors or engage in cryptocurrency mining activities on these systems.
Notably, Drupalgeddon2 enables unauthorized remote attackers to execute arbitrary code on compromised Drupal installations, impacting versions 6 through 8. Consequently, it is highly recommended that website administrators apply the necessary patches by updating to Drupal versions 7.58 or 8.5.1 without delay.
Drupal’s official advisory has underscored the urgency of remediation, warning that sites not patched by April 11, 2018, face the risk of compromise, and merely updating does not guarantee removal of any pre-installed backdoors.
As a precaution, administrators finding their sites unexpectedly patched should investigate further, as this could indicate prior compromise. For additional guidance on recovery strategies for hacked websites, resources provided by the Drupal team are indispensable.