Delaware, USA – November 20, 2018 – Researchers from Imperva warn of a new wave of attacks on websites with the Drupal content management system. Adversaries use the Drupalgeddon2 (CVE-2018-7600) and DirtyCOW (CVE-2016-5195) exploits to gain access to a site and install the SSH client to perform further actions. Researchers spotted mass-scanning the Internet for websites using a vulnerable version of Drupal. When such a website is located, adversaries use the Drupalgeddon2 exploit, which was published on GitHub in mid-April. With its help, attackers establish a foothold and search for credentials in the database in order to use them to try to gain access to the server on which the site is hosted. In case of failure, they use Dirty COW exploit to gain root access to the attacked server and to install SSH daemon. So far, the objectives of the attackers are unknown, but the researchers suggest that the most likely scenario is the installation of cryptocurrency miners.
To ensure the security of your web servers, you need to check that your website is running Drupal 7.59+, 8.5.3+ or 8.4.8+ (since earlier versions are vulnerable to CVE-2018-7602, for which exists publicly available exploit). If an earlier version is used, it is necessary to install all updates and investigate any suspicious activity, since installing updates does not prevent access to the server using previously installed backdoors. Also, you can use Web Application Security Framework for ArcSight to detect shady connections and data exfiltration attempts: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight