Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Attackers Target Drupal Web Servers with Chained Vulnerabilities

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

Drupalgeddon2, a vulnerability tracked as CVE-2018-7600, impacts Drupal versions 6, 7 and 8 and could be exploited to gain full control of a site. Addressed in March this year, the flaw has been exploited for months and remains an important threat because of slow patching. 

DirtyCOW, on the other hand, is a Linux kernel vulnerability that allows an attacker to escalate privileges by modifying existing setuid files. Caused by a race condition in the manner in which Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings, the bug was being already exploited when patched in fall 2016. 

As part of the newly observed attack, cybercriminals are attempting to compromise Drupal servers using exploits for both Drupalgeddon2 and DirtyCOW, while also trying to gain access to the target machines via system misconfigurations. 

Unlike previously observed remote code execution (RCE) attacks on web servers, which were usually once-off security events, the new incident reveals the adoption of persistency, as the attackers use methods to easily re-infect vulnerable servers if the malicious process was terminated. 

As part of the assault, the attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”. With many administrators leaving ‘root’ as the default user to connect from the web application to the database, the attackers can attempt to change the user to root and execute their payload. 

The initial attack surface was the web application, meaning that the attacker’s code was running under the user and permissions of that application, which usually doesn’t have access to installing new services. This is why the attacker would attempt to leverage permissions to root, Imperva points out. 

Advertisement. Scroll to continue reading.

Provided that the administrator did not leave the root passwords in the configuration files, the attacker then attempts to exploit the DirtyCOW bug to escalate privileges. The security researchers noticed that three different implementations of DirtyCOW were being downloaded as part of the attack, including one in raw format (C source code file), which was being compiled at runtime. 

Despite being a two-year-old vulnerability, one of the implementations has zero detection rate in VirusTotal, Imperva points out. 

After gaining root access and the permission to install new services, the attackers would install SSH, configure it, and then add their key to the list of authorized keys by the service. 

“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes. 

Related: Hackers Exploit Drupalgeddon2 to Install Backdoor

Related: Remote Code Execution Flaws Patched in Drupal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.