Researchers frequently reveal new vulnerabilities, and attempt to solve them as quickly as possible. This time, a dangerous flaw in Drupal is causing serious issues for website-owners. At the end of March, researchers from Drupal had posted an article, discussing highly critical remote control vulnerability in several subsystems of Drupal 7.x and 8.x. According to the announcement, the flaw could allow cyber criminals to hack into any website running on Drupal.
As a solution, Drupal specialists offered their clients to upgrade to new versions 7.58 and 8.5.1. This seemed like the end of this crisis. However, researchers from CheckPoint and Dofinity released additional information about the flaw in Drupal. Soon enough, specialists started referring to the flaw as “Drupalgeddon2”, and seeing that that the flaw was being exploited by cyber criminals.
If exploited, Drupal vulnerability could allow hackers to control websites
It is natural for online services to solve vulnerabilities on a regular basis. However, if the released patches are not applied, hackers can start exploiting these flaws for illegal activities and cyber attacks. For instance, vulnerabilities in Microsoft Office allowed criminals to spread Zyklon malware. Flaws in Huawei Routers made way for the Satori botnet to exploit the remote control vulnerability. Even HP EnterPrise Printers were exploited by hackers.
Researchers continued to emphasize the seriousness of this vulnerability, and urged Drupal customers to update their websites as soon as possible. If not, attackers could exploit the Drupalgeddon2 flaw and take over any compromised website. While researchers did not detect any attempts to explore the vulnerability for a while, it did not take long for hackers to take advantage of this opportunity.
Specialists are now reporting that cyber criminals are indeed exploiting the Drupalgeddon2 vulnerability for a few very distinct reasons: to deliver malware backdoors, IRTC bot and crypto-currency miners. If you have not heard of crypto-miners, we have several articles that will help you get a clearer picture of this malware.
Thanks to comprehensive analysis of the attacks, it was determined that hackers are exploiting Drupal vulnerability to spread XMRig Monero Miner. However, specialists also list other types of malware that criminals might be attempting to distribute. After considering more details of the attacks, researchers also began crafting another theory. According to them, exploitation of Drupal vulnerability might be done by the same hackers that were responsible for the attacks against Oracle WebLogic servers.
Considering that cyber criminals began exploiting Drupal vulnerability very suddenly, we hope that you won’t ignore the recommended upgrades any longer. Update Drupal websites to the latest versions to stay protection from malicious acts. However, if become one of the victims of these malicious campaigns, Drupal has released a helpful article. According to it, owners of compromised websites should contact the Drupal security team thru [email protected]. They also recommend generating a forensic copy of the site, and considering renewing the website or even taking the website offline. If you suspect that your website is being used to distribute malware, send spam, or as a pivot to further attacks, then taking it offline and installing a placeholder will at least prevent the further damage.