Hackers Exploit Drupalgeddon2 to Install Backdoor

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

Within weeks after a patch was released and the vulnerability became public, the first attempts to exploit it were observed. Soon after, while cybercriminals were targeting vulnerable sites with backdoors and crypto-miners, Drupal patched another highly critical flaw related to Drupalgeddon2.

Now, IBM’s security researchers reveal that both vulnerabilities are being targeted in a series of attacks that appear to be part of a financially-motivated campaign aiming at mass-infecting vulnerable Drupal websites. Although both security bugs have been patched, delays in applying fixes make them persistent.

The researchers observed that the same HTTP POST request was being repeatedly sent from the same IP address, which then revealed similar traffic from multiple command-and-control (C&C) servers. Part of a widespread cyber-attack, the requests would download a Perl script to launch the Shellbot backdoor.

The Shellbot malware would connect to an Internet Relay Chat (IRC) channel and use it to receive instructions. The bot contains functionality to perform distributed denial-of-service (DDoS) attacks, as well as to scan for SQL injection weaknesses and other vulnerabilities, in an attempt to reach root level on the victimized system.

“The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well,” IBM notes.

Around since 2005, Shellbot was designed to open remote command line shells, launch DDoS attacks, run tasks and processes, download additional files onto the infected system, and change the endpoint’s settings, among others.

Although old, Shellbot is being used by several threat groups, and the security researchers observed it last year in attacks targeting an Apache Struts vulnerability (CVE-2017-5638) as well, when it was packaged as the C&C with the PowerBot malware, which dropped crypto-mining modules.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

Related: Drupal Patches New Flaw Related to Drupalgeddon2

Related: Drupal Sites Targeted With Backdoors, Miners in Drupalgeddon2 Attacks