Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Exploit Drupalgeddon2 to Install Backdoor

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

Within weeks after a patch was released and the vulnerability became public, the first attempts to exploit it were observed. Soon after, while cybercriminals were targeting vulnerable sites with backdoors and crypto-miners, Drupal patched another highly critical flaw related to Drupalgeddon2.

Now, IBM’s security researchers reveal that both vulnerabilities are being targeted in a series of attacks that appear to be part of a financially-motivated campaign aiming at mass-infecting vulnerable Drupal websites. Although both security bugs have been patched, delays in applying fixes make them persistent.

The researchers observed that the same HTTP POST request was being repeatedly sent from the same IP address, which then revealed similar traffic from multiple command-and-control (C&C) servers. Part of a widespread cyber-attack, the requests would download a Perl script to launch the Shellbot backdoor.

The Shellbot malware would connect to an Internet Relay Chat (IRC) channel and use it to receive instructions. The bot contains functionality to perform distributed denial-of-service (DDoS) attacks, as well as to scan for SQL injection weaknesses and other vulnerabilities, in an attempt to reach root level on the victimized system.

“The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well,” IBM notes.

Around since 2005, Shellbot was designed to open remote command line shells, launch DDoS attacks, run tasks and processes, download additional files onto the infected system, and change the endpoint’s settings, among others.

Advertisement. Scroll to continue reading.

Although old, Shellbot is being used by several threat groups, and the security researchers observed it last year in attacks targeting an Apache Struts vulnerability (CVE-2017-5638) as well, when it was packaged as the C&C with the PowerBot malware, which dropped crypto-mining modules.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

Related: Drupal Patches New Flaw Related to Drupalgeddon2

Related: Drupal Sites Targeted With Backdoors, Miners in Drupalgeddon2 Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.