Delaware, USA – April 18, 2018 – At the end of last week, the first PoC exploit for the critical vulnerability CVE-2018-7600 in Drupal CMS was posted on GitHub. Patch for this vulnerability dubbed Drupalgeddon2 was released on March 28. More than 1 million websites use Drupal to manage content, the vulnerability allows adversaries to remotely execute code and gain full control over the attacked site. A few hours after the exploit publication, the first attempts to abuse vulnerability were detected by Sucuri. The most attacks were just testing the efficiency of PoC exploit, but after the publication of the second PoC, the attacks began to evolve and now adversaries try to infect sites with backdoors and cryptocurrency miners. The exploit has already weaponized by botnet operators – researchers from 360 Netlab discovered several versions of Tsunami botnet abusing CVE-2018-7600 vulnerability.
To secure your website against Drupalgeddon2, you need to upgrade Drupal to version 7.58 or 8.5.1. The Drupal authors warn that sites without updates can be already compromised. The installation of updates does not affect the operation of backdoors and cryptocurrency miners. Moreover, they mentioned cases when attackers installed updates after compromising the website in order to trick its administrators. You can use Web Application Security Framework for ArcSight to monitor suspicious activity on your website. It can help your SIEM detect shady connections and data exfiltration attempts.