Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.
According to a blog post by researchers at Qihoo 360 Netlab, bots have been scanning for systems with the CVE-2018-7600 vulnerability, AKA Drupalgeddon 2 bug. The vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.
Researchers said that scanning started on 13 April this year and they believed that at least three groups of malware campaigns are exploiting this bug. One group has worm-propagation behaviour and was dubbed Muhstik, as this name kept appearing in binary file names and a communications IRC channel. The malware is also an update of the Tsunami malware that has been used in the past to infect tens of thousands of Unix and Linux servers since 2011.
They said that Muhstik uses the following two sets of attack payloads, which contributes around 80 percent of all the payloads observed. The botnet can install multiple malicious payloads, including cryptocurrency miners (such as the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency) and software to launch DDoS attacks. The botnet uses 11 separate command-and-control domains and IP addresses to keep online as much as possible. It also uses the IRC protocol to communicate sending different instructions via different channels.
Muhstik is also exploiting flaws in other applications such as Webdav, WebLogic, Webuzo, and WordPress. It scans ports 80, 8080, 7001, and 2004.The worm propagates by scanning for susceptible server apps and searching servers for weak secure-shell, or SSH, passwords.
The security team at Drupal patched up Drupalgeddon2 last month when it released Drupal 7.58 and Drupal 8.5.1. Sites running the CMS have been advised to update to these versions as soon as possible.
Dr Kevin Curran, senior IEEE member and professor of Cyber-security at Ulster University, told SC Media UK that we are likely to see other Content Management Systems compromised in the future, in part, simply due to their popularity.
“Hackers have accumulated many CMS vulnerabilities and there exists a host of CMSs which have neglected to update to more secure versions - thus leaving them susceptible to these well known flaws. Weak admin passwords can also be brute forced. The other main weakness in CMSs which lead to hacks is the plugin ecosystem. Here there are, again, well known attacks in the wild for plugins which also lead to full system hack,” he said.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that the good news about the Drupal CVE-2018-7600 vulnerability is that it isn't a zero-day because there are already patches available. “If you've applied the patches, you can't be exploited. The bad news is that if you haven't patched, or if you think you've patched but didn't do it properly, then it might as well be a zero-day, because the crooks can and will attack you. Don't make yourself an easy target: patch early, patch often!” he said.