Critical Security Flaw Leaves Thousands of Drupal Websites Vulnerable
A significant security vulnerability impacting websites built on the Drupal content management system (CMS) has come to light, with over 115,000 sites remaining unpatched months after security fixes were released. This highly critical vulnerability, known as Drupalgeddon2 (CVE-2018-7600), was initially identified in late March, yet many organizations have not implemented the necessary updates, despite repeated warnings from security researchers and authorities.
Troy Mursch, a security researcher instrumental in identifying these vulnerabilities, conducted extensive scans of the Internet and discovered that hundreds of thousands of websites—including those affiliated with prominent educational and governmental institutions—are still exposed. Alarmingly, nearly 500,000 websites run on Drupal 7, with a significant number of them still utilizing outdated versions vulnerable to exploitation.
Drupalgeddon2 allows unauthenticated remote attackers to execute arbitrary code on default installations of Drupal, potentially enabling them to take complete control of affected sites. The vulnerability’s serious nature has raised concerns about its appeal to cybercriminals, prompting the Drupal organization to initially withhold technical details to prevent exploitation.
Shortly after complete details and proof-of-concept exploit code were made public, attackers began leveraging the vulnerability for nefarious purposes. Reports indicate that automated exploits have been developed, enabling the injection of cryptocurrency miners, backdoors, and various types of malware into compromised sites within hours of the vulnerability’s disclosure.
Mursch’s findings highlighted alarming cases, including the infection of websites belonging to the Belgium police department, the Colorado Attorney General’s office, and corporate entities such as the Fiat subsidiary Magneti Marelli. These sites fell prey to a cryptojacking campaign, which seeks to hijack computing resources for cryptocurrency mining.
Furthermore, analysis revealed that some compromised websites had previously upgraded to the latest Drupal version, yet the cryptojacking malware persisted. This poses a critical challenge, as simply upgrading to the latest version of Drupal will not necessarily eradicate existing backdoors or fix compromised systems. For effective remediation, stakeholders are advised to consult the official Drupal security guide to completely mitigate the threat.
Organizations must remain vigilant and proactive in addressing vulnerabilities. As this incident illustrates, failure to apply critical security updates can leave systems exposed, making them prime targets for cybercriminal activities. Understanding relevant tactics from the MITRE ATT&CK Matrix, such as initial access and persistence, can provide insight into the methods employed by adversaries and inform stronger defensive strategies moving forward.
Cybersecurity experts underscore the importance of a comprehensive security posture, urging business owners to implement regular updates and conduct thorough system audits to minimize the risk of falling victim to emerging vulnerabilities like Drupalgeddon2. As cyber threats continue to evolve, staying informed and prepared is essential for safeguarding organizational assets.
