8 October 2019

Patched more than a year ago Drupalgeddon2 flaw is still being actively exploited by hackers

Patched more than a year ago Drupalgeddon2 flaw is still being actively exploited by hackers

Hackers continue to exploit a popular remote code execution (RCE) vulnerability (aka Drupalgeddon2) in Drupal content management system (CMS) that was patched more than year and a half ago. A new campaign was uncovered by Akamai’s lead researcher Larry Cashdollar and, according to the expert, the attackers target a broad range of high profile websites using malicious .GIF files to deliver malware.

Drupalgeddon2 tracked as CVE-2018-7600 stems from insufficient input validation on the Drupal 7 Form API. It affects all Drupal versions 7.x before 7.58, 8.3.x versions before 8.3.9, 8.4.x versions before 8.4.6, and 8.5.x before 8.5.1. First discovered in March 2018 the vulnerability can be triggered remotely on default and common Drupal installations, potentially leading to RCE, data theft, and website hijacking. The flaw was fixed by the Drupal team in the same month. At the time of discovery, it was estimated that more than one million websites were vulnerable and, although the patch was issued over a year ago, it seems that many websites’ owners failed to apply the fix putting their sites in danger.

The new campaign recently observed by Cashdollar exploits the vulnerability through a .GIF file that contains a malicious code.

“I observed an attack that is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time,” the researcher said.

So far the campaign doesn’t appear widespread and currently is directed against “a random assortment of high profile websites”.

Drupalgeddon2's image file, index.inc.gif, is being hosted on a Brazilian bodysurfing website which appears to have been hijacked. The image file contains obfuscated PHP code and malware packages which are base64 encoded. 

“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding. The Linux command file identifies it as a gif image,” according to the analysis.

The deployed malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, executing a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.

The second malicious module found in the image file is a Perl script stored in mild.txt. The code isn't obfuscated, and like many other pieces of malware, uses Internet Relay Chat (IRC) to communicate with a command and control server. The malware has several capabilities, such as denial-of-service (DoS) and Remote Access Trojan (RAT) functionality. 

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability's exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems -- creating a pivot point on the network,” the researcher warned.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019