A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.
The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.
Drupalgeddon2, a vulnerability tracked as CVE-2018-7600, impacts Drupal versions 6, 7 and 8 and could be exploited to gain full control of a site. Addressed in March this year, the flaw has been exploited for months and remains an important threat because of slow patching.
DirtyCOW, on the other hand, is a Linux kernel vulnerability that allows an attacker to escalate privileges by modifying existing setuid files. Caused by a race condition in the manner in which Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings, the bug was being already exploited when patched in fall 2016.
As part of the newly observed attack, cybercriminals are attempting to compromise Drupal servers using exploits for both Drupalgeddon2 and DirtyCOW, while also trying to gain access to the target machines via system misconfigurations.
Unlike previously observed remote code execution (RCE) attacks on web servers, which were usually once-off security events, the new incident reveals the adoption of persistency, as the attackers use methods to easily re-infect vulnerable servers if the malicious process was terminated.
As part of the assault, the attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”. With many administrators leaving ‘root’ as the default user to connect from the web application to the database, the attackers can attempt to change the user to root and execute their payload.
The initial attack surface was the web application, meaning that the attacker’s code was running under the user and permissions of that application, which usually doesn’t have access to installing new services. This is why the attacker would attempt to leverage permissions to root, Imperva points out.
Provided that the administrator did not leave the root passwords in the configuration files, the attacker then attempts to exploit the DirtyCOW bug to escalate privileges. The security researchers noticed that three different implementations of DirtyCOW were being downloaded as part of the attack, including one in raw format (C source code file), which was being compiled at runtime.
Despite being a two-year-old vulnerability, one of the implementations has zero detection rate in VirusTotal, Imperva points out.
After gaining root access and the permission to install new services, the attackers would install SSH, configure it, and then add their key to the list of authorized keys by the service.
“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes.