Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

The flaw dubbed Drupalgeddon2 is officially tracked as CVE-2018-7600. It allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The issue has been patched since the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for Drupal 6, which is no longer supported since February 2016.

Drupalgeddon2 has been exploited by malicious actors for both server-side and client-side attacks that deliver cryptocurrency miners, backdoors, RATs and tech support scams.Many Drupal websites still affected by Drupalgeddon 2 vulnerability

Despite the high risk of attacks, many administrators of Drupal websites still haven’t applied the patches.

Researcher Troy Mursch has conducted an analysis of Drupal 7 websites – Drupal 7 is the most widely used version and it currently powers more than 830,000 sites – and found that many are still vulnerable.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running outdated and vulnerable versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version they had been using could not be determined.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers,” Mursch wrote on his Bad Packets Report blog.

The list of vulnerable websites has not been made public, but the researcher did send it to US-CERT and the Drupal Security Team.

While conducting the analysis, Mursch discovered a significant cryptojacking campaign that leverages the Coinhive service. Malicious actors managed to compromise at least 258 Drupal sites and abused them to mine for cryptocurrency. The list of victims included the Attorney General’s Office in Colorado, a police department in Belgium, and Fiat-owned automotive parts manufacturer Magneti Marelli.

Advertisement. Scroll to continue reading.

An India-based research organization hit by this campaign had updated Drupal, but it failed to remove the malicious code. As the Drupal Security Team warned, updating the CMS does not remove malicious code from already compromised websites.

This is the second cryptojacking campaign discovered by Mursch since the disclosure of Drupalgeddon2. In early May, he reported discovering more than 300 websites hacked in a similar operation, including sites belonging to universities and governments.

During the analysis of Drupalgeddon2, the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability, identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.