Developers of the popular Drupal content management system plan to release a critical out-of-band patch April 25 that’s related to the actively exploited Drupalgeddon2 vulnerability fixed late last month.
“There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 – 18:00 UTC,” the Drupal developers said in an announcement Monday. “This security release is a follow-up to the one released as SA-CORE-2018-002 on March 28.”
SA-CORE-2018-002 refers to a highly critical remote code execution flaw that affects all Drupal versions starting with 6.x and which has become known in the security industry as Drupalgeddon2 (CVE-2018-7600).
The flaw is currently being used to compromise Drupal websites in widespread attacks after a proof-of-concept exploit for the vulnerability appeared last week.
Even though it’s somehow related to Drupalgeddon2, the upcoming patch seems to be for a different flaw that is tracked separately as CVE-2018-7602. The Drupal team has not released any other details about the issue at this time.
“Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure,” the Drupal security team said. “Sites on 8.4.x should immediately update to the 8.4.8 release that will be provided in the advisory, and then plan to update to 8.5.3 or the latest security release as soon as possible (since 8.4.x no longer receives official security coverage).”
Major BGP Hijacking Attack Used to Steal Cryptocurrency
Hackers used BGP hijacking techniques to divert traffic destined to Amazon’s Route 53 cloud DNS service provider for two hours April 24. The attack was used to steal Ethereum cryptocurrency from users of a web-based wallet service, but other websites might have been impacted as well.
The border gateway protocol (BGP) is used to establish routing paths on the internet and primarily relies on trust between network operators. If one operator announces routes for a block of IP addresses that it doesn’t actually manage, there is a high possibility that other peers will accept those routes as legitimate.
Routing leaks and BGP hijacks have become common occurrences in recent years. Sometimes they are caused by misconfigurations, but other times they’re intentional and their perpetrators have nefarious motives, such as in this case.
The attackers first announced routes for Route 53, a managed cloud DNS provider used by many large websites and businesses, through an ISP from Columbus, Ohio. It’s not yet clear how they managed to do that.
They then hijacked the DNS responses for MyEtherWallet.com, redirecting legitimate visitors to a server in Russia. The rogue server displayed a fake version of the website with a self-signed certificate, triggering warnings in many users’ browsers. Even so, some of them went ahead and entered their login credentials on the fake websites, providing attackers with a way to access their wallets and steal their Ethereum.
“The security vulnerabilities in BGP and DNS are well known, and have been attacked before,” security researcher Kevin Beaumont said in a blog post. “This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security.”
“Mounting an attack of this scale requires access to BGP routers are (sic) major ISPs and real computing resource (sic) to deal with so much DNS traffic,” Beaumont added. “It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access.”
The Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) project is part of the efforts to secure global internet routing. ISPs and other network operators join MANRS voluntarily and commit to implementing its recommended best practices for routing security. The project launched a program this week specifically aimed at internet exchange points (IXPs).