July 23, 2018 By Douglas Bonderud 2 min read

Back in March 2018, Drupal security teams fixed CVE-2018-7600 (also known as Drupalgeddon 2) and discovered another vulnerability (CVE-2018-7602) that could be exploited to deliver cryptocurrency mining malware in the process. Attacks against sites leveraging the open source content management system began just hours after the CVE-2018-7602 patch was released, giving site owners and operators little time to respond, Bleeping Computer reported in April 2018.

While the patch effectively curtails this crypto-mining effort, not all companies have implemented the fix.

How the Drupal Flaw Facilitates Cryptocurrency Mining

Monero mining is the aim of cybercriminals leveraging CVE-2018-7602. With 85 percent of all crypto-mining attacks now using Monero — and thieves grabbing more than $175 million from malicious mining techniques — it’s no surprise cybercriminals are exploiting this longstanding Drupal flaw to move more of the digital currency.

The method here is remote code execution (RCE), which affects Drupal versions 7 and 8. According to Trend Micro, the attack starts with a shell script download, followed by an Executable and Linkable Format (ELF) downloader to add a crontab entry. Since Drupal lacks input sanitization of # characters in URLs, threat actors can bypass standard protections to install Monero-based mining malware.

This attack vector also uses HTTP 1.0 POST to return data, making it an outlier since most organizations now use HTTP 1.1 or higher. As a result, businesses may not immediately flag this Drupal activity as suspicious.

How Critical Is the Vulnerability?

According to Drupal, this vulnerability is rated “highly critical” with a score of 20 out of 25. Attackers can leverage the flaw to take control of Drupal sites; install cryptocurrency miners and distributed denial-of-service (DDoS) malware; and create backdoors for easy, long-term access.

Threat actors are also using the Tor network to obfuscate their activity. When Trend Micro traced the attacks back along their IP trail, the endpoint was an IP address owned by a virtual private network (VPN) provider that’s also a Tor exit node.

Using open source Monero miner XMRig version 2.6.3, meanwhile, the malware checks whether potential targets are already compromised and then alters behavior to limit possible discovery, according to an IBM X-Force advisory. As a result, everything from compromised website performance to complete loss of control and ongoing vulnerability are on the table if companies are compromised.

Patching Makes Perfect

As noted by Sensors Tech Forum, CVE-2018-7602 “exists within multiple subsystems of Drupal 7.x and 8.x” and “could cause severe damage to a website, which could be hacked via remote code execution due to a missing input validation.”

To avoid potential problems, enterprises should:

  • Upgrade to Drupal 7.59 from 7.x.
  • Upgrade to Drupal 8.5.3 from 8.5x.
  • Upgrade to Drupal 8.4.8 from 8.4x.
  • Patch directly for 8.x or 7.x if an immediate upgrade isn’t possible (requires SA-CORE-2018-002 fix).
  • Monitor for signs of cryptocurrency mining infection, such as reduced performance and increased communications traffic that favors longer uploads and shorter downloads.

Sources: Bleeping Computer, Trend Micro, Drupal, Sensors Tech Forum

More from

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure." The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today