Threat Actors Exploit New Drupal Flaw to Deliver Cryptocurrency Mining Malware

Back in March 2018, Drupal security teams fixed CVE-2018-7600 (also known as Drupalgeddon 2) and discovered another vulnerability (CVE-2018-7602) that could be exploited to deliver cryptocurrency mining malware in the process. Attacks against sites leveraging the open source content management system began just hours after the CVE-2018-7602 patch was released, giving site owners and operators little time to respond, Bleeping Computer reported in April 2018.

While the patch effectively curtails this crypto-mining effort, not all companies have implemented the fix.

How the Drupal Flaw Facilitates Cryptocurrency Mining

Monero mining is the aim of cybercriminals leveraging CVE-2018-7602. With 85 percent of all crypto-mining attacks now using Monero — and thieves grabbing more than $175 million from malicious mining techniques — it’s no surprise cybercriminals are exploiting this longstanding Drupal flaw to move more of the digital currency.

The method here is remote code execution (RCE), which affects Drupal versions 7 and 8. According to Trend Micro, the attack starts with a shell script download, followed by an Executable and Linkable Format (ELF) downloader to add a crontab entry. Since Drupal lacks input sanitization of # characters in URLs, threat actors can bypass standard protections to install Monero-based mining malware.

This attack vector also uses HTTP 1.0 POST to return data, making it an outlier since most organizations now use HTTP 1.1 or higher. As a result, businesses may not immediately flag this Drupal activity as suspicious.

How Critical Is the Vulnerability?

According to Drupal, this vulnerability is rated “highly critical” with a score of 20 out of 25. Attackers can leverage the flaw to take control of Drupal sites; install cryptocurrency miners and distributed denial-of-service (DDoS) malware; and create backdoors for easy, long-term access.

Threat actors are also using the Tor network to obfuscate their activity. When Trend Micro traced the attacks back along their IP trail, the endpoint was an IP address owned by a virtual private network (VPN) provider that’s also a Tor exit node.

Using open source Monero miner XMRig version 2.6.3, meanwhile, the malware checks whether potential targets are already compromised and then alters behavior to limit possible discovery, according to an IBM X-Force advisory. As a result, everything from compromised website performance to complete loss of control and ongoing vulnerability are on the table if companies are compromised.

Patching Makes Perfect

As noted by Sensors Tech Forum, CVE-2018-7602 “exists within multiple subsystems of Drupal 7.x and 8.x” and “could cause severe damage to a website, which could be hacked via remote code execution due to a missing input validation.”

To avoid potential problems, enterprises should:

  • Upgrade to Drupal 7.59 from 7.x.
  • Upgrade to Drupal 8.5.3 from 8.5x.
  • Upgrade to Drupal 8.4.8 from 8.4x.
  • Patch directly for 8.x or 7.x if an immediate upgrade isn’t possible (requires SA-CORE-2018-002 fix).
  • Monitor for signs of cryptocurrency mining infection, such as reduced performance and increased communications traffic that favors longer uploads and shorter downloads.

Sources: Bleeping Computer, Trend Micro, Drupal, Sensors Tech Forum

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...