New Critical Vulnerability in Drupal is actively exploited in the Wild

Delaware, USA ā€“ April 27, 2018 ā€“ Less than a month after Drupal developers patched critical vulnerability CVE-2018-7600 (Drupalgeddon 2) they released the new update to cope with the new flaw (CVE-2018-7602), which also allows attackers to gain complete control over the attacked website. Attackers weaponized Drupalgeddon 2 only after the publication of PoC, two weeks after the release of the update, to distribute backdoors and cryptocurrency miners as well as to encrypt websites’ content and demand a ransom. Cybercriminals started exploiting CVE-2018-7602 vulnerability much faster: the first PoC was published in a few hours after the release of the update and adversaries almost immediately started attacks on websites. Drupal developers foresaw the possibility of such situation and warned about update’s release in advance, but there are still a lot of vulnerable sites in the world.

If you use Drupal CMS, you need to install the latest software updates as soon as possible (upgrade to Drupal 7.59, 8.5.3. or 8.4.8.). If your site has been compromised before the update is installed, it will remain under the control of the attackers, so you need to investigate any suspicious activity on your web-resources. To uncover malicious actions and breach attempts, you can use Web Application Security Framework for ArcSight that can act as an early warning system for business applications.