Critical Vulnerability in Drupal CMS Used for Cryptomining

For your information, Drupal is also an open-source content management system (CMS) just like WordPress and is used by over a million websites across the globe. Drupal seems to be a top pick for governments and financial sector.

However, reports suggest that Drupal contained a highly critical vulnerability that allowed remote hackers full control of a website. Users were kept unaware of this flaw until the company released a patch to address the issue.

Now, IT security researchers at Checkpoint have openly disclosed the vulnerability to the public, leaving site admins scratching their heads.

Dubbed as Drupalgeddon2, the vulnerability was so serious that it can be used for installation of cryptocurrency miners to mine for Monero cryptocurrency.

Drupal’s security team addressed the issue last month and released the patch, which admins who use Drupal to run websites are advised to install as quickly as possible. Researchers also released a proof-of-concept exploit for the flaw, which demonstrates that attackers can easily gain complete control of a website using the vulnerability.

We haven’t observed hackers wasting time in exploiting any kind of vulnerability until now and in this case too they have been rather quick on exploiting Drupalgeddon2. Attacks have already been initiated and attackers are installing cryptominers. An excerpt from a thread on SANS ISC Infosec forums confirms this as well.

The exploits are being launched at a rapid pace currently. Naturally, security experts and website owners are quite concerned. The tweet from GoDaddy’s VP of Engineering clearly shows this unrest among web owners. The Tweet reads:

The only possible solution at the moment is to install the patch immediately.

A PSA was also published by Drupal’s team stating that the company was already aware of the attacks that are being launched to compromise Drupal 7 and 8 websites. The vulnerability has been classified as CVE-2018-7600 whereas the security risk score of the issue is increased to 24/25.

If your website remains unpatched by 11th April 2018, it is at the risk of compromising. Quite possibly, targeted attacks were already launched before the release of the patch. It is also to be noted that just by updating Drupal, you cannot remove backdoors and also cannot fix already compromised websites.

In fact, if you think that your website is patched while you didn’t patch it yourself then this indicates the site has been compromised. That’s possible because in some previous attacks it was noted that attackers themselves applied the patch to ensure that the site remained in their control.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'