Back in March 2018, Drupal security teams fixed CVE-2018-7600 (also known as Drupalgeddon 2) and discovered another vulnerability (CVE-2018-7602) that could be exploited to deliver cryptocurrency mining malware in the process. Attacks against sites leveraging the open source content management system began just hours after the CVE-2018-7602 patch was released, giving site owners and operators little time to respond, Bleeping Computer reported in April 2018.

While the patch effectively curtails this crypto-mining effort, not all companies have implemented the fix.

How the Drupal Flaw Facilitates Cryptocurrency Mining

Monero mining is the aim of cybercriminals leveraging CVE-2018-7602. With 85 percent of all crypto-mining attacks now using Monero — and thieves grabbing more than $175 million from malicious mining techniques — it’s no surprise cybercriminals are exploiting this longstanding Drupal flaw to move more of the digital currency.

The method here is remote code execution (RCE), which affects Drupal versions 7 and 8. According to Trend Micro, the attack starts with a shell script download, followed by an Executable and Linkable Format (ELF) downloader to add a crontab entry. Since Drupal lacks input sanitization of # characters in URLs, threat actors can bypass standard protections to install Monero-based mining malware.

This attack vector also uses HTTP 1.0 POST to return data, making it an outlier since most organizations now use HTTP 1.1 or higher. As a result, businesses may not immediately flag this Drupal activity as suspicious.

How Critical Is the Vulnerability?

According to Drupal, this vulnerability is rated “highly critical” with a score of 20 out of 25. Attackers can leverage the flaw to take control of Drupal sites; install cryptocurrency miners and distributed denial-of-service (DDoS) malware; and create backdoors for easy, long-term access.

Threat actors are also using the Tor network to obfuscate their activity. When Trend Micro traced the attacks back along their IP trail, the endpoint was an IP address owned by a virtual private network (VPN) provider that’s also a Tor exit node.

Using open source Monero miner XMRig version 2.6.3, meanwhile, the malware checks whether potential targets are already compromised and then alters behavior to limit possible discovery, according to an IBM X-Force advisory. As a result, everything from compromised website performance to complete loss of control and ongoing vulnerability are on the table if companies are compromised.

Patching Makes Perfect

As noted by Sensors Tech Forum, CVE-2018-7602 “exists within multiple subsystems of Drupal 7.x and 8.x” and “could cause severe damage to a website, which could be hacked via remote code execution due to a missing input validation.”

To avoid potential problems, enterprises should:

  • Upgrade to Drupal 7.59 from 7.x.
  • Upgrade to Drupal 8.5.3 from 8.5x.
  • Upgrade to Drupal 8.4.8 from 8.4x.
  • Patch directly for 8.x or 7.x if an immediate upgrade isn’t possible (requires SA-CORE-2018-002 fix).
  • Monitor for signs of cryptocurrency mining infection, such as reduced performance and increased communications traffic that favors longer uploads and shorter downloads.

Sources: Bleeping Computer, Trend Micro, Drupal, Sensors Tech Forum

More from

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…