Researchers are warning of a new wave of cyber attacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What’s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.
Researchers at IBM Security’s Managed Security Services reported the activity on Wednesday and said a successful attack can open a backdoor to a vulnerable Drupal website, giving adversaries complete control over the site. Under the NIST Common Misuse Scoring System, the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.
The Drupal security team has known about the vulnerability since at least March, reporting under CVE-2018-7600. Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.
“Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site,” wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. “With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.”
According to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM’s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.
Shellbot is a malicious backdoor script which has been around since 2005. It’s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it’s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.
Once the attacker’s command-and-control server has shell access to a target Drupal website they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing crypto miners in order to install their own crypto mining malware.
Over the past year, since Drupalgeddon was publicly disclosed and patched, there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as San Diego Zoo, Lenovo and the National Labor Relations Board. In many of those incidences, adversaries have targeted systems ideal to plant cryptocurrency miners.
“Injection is still the number one item in the Open Web Application Security Project top ten,” said Sean Wright, a lead application security engineer. “It continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.”
Another issue that constantly presents itself is the lack of patching. Organization is putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately, this appears to not have been the case.