Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

The flaw dubbed Drupalgeddon2 is officially tracked as CVE-2018-7600. It allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The issue has been patched since the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for Drupal 6, which is no longer supported since February 2016.

Drupalgeddon2 has been exploited by malicious actors for both server-side and client-side attacks that deliver cryptocurrency miners, backdoors, RATs and tech support scams.Many Drupal websites still affected by Drupalgeddon 2 vulnerability

Despite the high risk of attacks, many administrators of Drupal websites still haven’t applied the patches.

Researcher Troy Mursch has conducted an analysis of Drupal 7 websites – Drupal 7 is the most widely used version and it currently powers more than 830,000 sites – and found that many are still vulnerable.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running outdated and vulnerable versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version they had been using could not be determined.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers,” Mursch wrote on his Bad Packets Report blog.

Advertisement. Scroll to continue reading.

The list of vulnerable websites has not been made public, but the researcher did send it to US-CERT and the Drupal Security Team.

While conducting the analysis, Mursch discovered a significant cryptojacking campaign that leverages the Coinhive service. Malicious actors managed to compromise at least 258 Drupal sites and abused them to mine for cryptocurrency. The list of victims included the Attorney General’s Office in Colorado, a police department in Belgium, and Fiat-owned automotive parts manufacturer Magneti Marelli.

An India-based research organization hit by this campaign had updated Drupal, but it failed to remove the malicious code. As the Drupal Security Team warned, updating the CMS does not remove malicious code from already compromised websites.

This is the second cryptojacking campaign discovered by Mursch since the disclosure of Drupalgeddon2. In early May, he reported discovering more than 300 websites hacked in a similar operation, including sites belonging to universities and governments.

During the analysis of Drupalgeddon2, the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability, identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.