CVE-2018-7600 Drupal Bug Used in New Attack

Computer hackers are abusing the CVE-2018-7600 Drupal vulnerability using a new exploit called Drupalgeddon2 to take down sites. The attacks target site instances running versions 6,7 and 8 of Drupal and use the same security vulnerability which was addressed back in March this year.

The CVE-2018-7600 Drupal Bug Abused in New Drupalgeddon2 Attack

An unknown criminal collective is taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was patched earlier this year. The new intrusion attempt is called the Drupalgeddon2 attack and according to the available research allows hackers to exploit the sites using a new strategy. The consequences are total control of the target sites including access to private data. The official description of the CVE-2018-7600 bug is the following:

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Several weeks after the issue was publicly announced several hacking groups attempted to exploit the issue. The hackers were able to find vulnerable sites which were all infected with backdoor viruses, miners and other malware code. This follow-up intrusion lead to the discovery of an alternative intrusion approach that became known as the Drupalgeddon2 attack against Drupal sites.

The analysts uncovered that the same HTTP POT request as the first attacks were used, the traffic analysis shows that similar contents was used. The end goal was to download a script written in the Perl language which triggers the download and execution of a backdoor. This malware script will connect the infected site to a IRC-based channel which will (Read more…)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Martin Beltov. Read the original post at: