Hackers Exploit Drupal Vulnerability to Install Cryptocurrency Miners

A highly critical vulnerability patched in the popular Drupal content management system two weeks ago is seeing a wave of exploits, some of which install cryptocurrency mining malware on servers.

The vulnerability tracked as CVE-2018-7600 but also dubbed Drupalgeddon2, affects all versions of Drupal since version 6.x and was patched in late March. Due to the severity of the flaw, the Drupal team issued a pre-notification one week in advance to alert users that they should update their installations as soon as the patch landed because the risk of widespread exploitation was very high.

The expected attacks didn’t materialize immediately because there were no public details about the vulnerability, but that changed last week.

On April 12, researchers from security firm Checkpoint Software Technologies posted a detailed analysis of the flaw on their blog explaining exactly how it works. Then someone else decided to build a working proof-of-concept exploit and publish it on GitHub.

Within hours, researchers from the SANS Internet Storm Center started seeing probes that used the exploit hitting their honeypots. This was also confirmed by researchers from web security firm Sucuri.

The initial probes were used to identify vulnerable servers and to execute basic commands such as ping, whoami or phpinfo() to verify that code execution works. But these were soon followed by malicious payloads.

The SANS researchers observed attacks deploying an install script that downloaded xmrig, a program that uses the server’s CPU resources to mine Monero cryptocurrency.

Users who haven’t yet updated their Drupal deployments until now, should do so as soon as possible as these attacks will only increase in frequency over the days to come.

65,000 Routers Used as Proxies for Malicious Activity Through UPnP

Hackers are hijacking routers with insecure UPnP implementations and use them to hide their real IP address when they engage in illegal activities such as spamming, account takeover, credit card fraud and DDoS.

Researchers from content delivery network provider Akamai has found a botnet made up of more than 65,000 routers that have had rogue entries injected into their Network Address Translation (NAT) tables making them act as HTTP proxy servers.

Universal Plug and Play (UPnP) is a service that allows devices to discover each other inside local networks and automatically open ports for services such as data sharing and media streaming. Normally, the UPnP service should only be exposed to the local network, but bad and insecure implementations have been found in numerous devices over the years, especially in home routers.

Akamai’s scans found 4.8 million devices on the internet that accepted queries over UDP SSDP, the UDP portion of UPnP. Of those, 65,000 showed signs that they had already been hijacked and were part of a botnet that Akamai has dubbed UPnProxy.

“Carriers and ISPs need to be aware of the vulnerability, as end users and customers may appear to be hosting content or the source of attacks when the responsible party is actually behind one or several layers of compromised routers,” the researchers said in their report. “Law enforcement officers should be advised that, similar to other types of proxies, UPnProxy has the potential to make their jobs harder by adding another layer of obfuscation to traffic from criminal actors.”

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin