Drupalgeddon2 flaw still being exploited

By Dylan Bushell-Embling
Monday, 14 October, 2019

A new attack campaign targeting Drupal CMS implementations is targeting a seemingly random assortment of high-profile websites.

The campaign, uncovered by Akamai Security Intelligence Response Team member Larry Cashdollar, leverages the Drupalageddon2 exploit that was patched in March 2018.

The attack is designed to run code embedded inside a .gif file and is seeking to exploit unpatched Drupal implementations in use by the targeted sites, Cashdollar said.

Examining the malicious code embedded inside the gif, as well as Akamai network attack logs, indicates that the code is designed to trigger the download of two pieces of malware.

The first malware allows for various functions including remote file execution, replacing a site’s .htaccess file, sending an email with credentials and renaming files.

The second connects to a now-defunct IRC server to allow it to receive commands, and also includes various tools including DDoS and remote access trojan (RAT) functionality and SQL flooding capability.

Cashdollar said the discovery highlights the fact that attackers will continue to target critical vulnerabilities, even if their public disclosure date is over a year old.

“When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation and infection when there are poorly maintained and forgotten systems,” he said.

“This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network. Maintaining patches in a timely fashion — as well as properly decommissioning servers if they’re no longer being used — is the best preventative measure that administrators and security teams can take.”

Tenable VP of Intelligence Gavin Millard said the attack in fact demonstrates that critical vulnerabilities do not lessen in severity as they age, and in some ways the reverse is true.

“This was a critical vulnerability a year ago and ease of identification and exploitation has only improved. If you have an externally facing version of Drupal vulnerable to this simple attack, the probability of it being popped increases every day and, if it hasn't yet, your luck will soon run out,” he said.

“A quick scan for all externally facing systems for [the vulnerability] and putting together a rapid remediation plan for sites affected would be wise.”

Image credit: ©stock.adobe.com/au/Lasha Kilasonia

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.