Home / News / Drupalgeddon2 vulnerability, fixed a year and a half ago, still used in cyberattacks

Drupalgeddon2 vulnerability, fixed a year and a half ago, still used in cyberattacks

The critical vulnerability fixed in a Drupal content management system a year and a half ago is still actively used in cyberattacks on large websites. This is a vulnerability called Drupalgeddon2 (CVE-2018-7600), discovered in March 2018.

This vulnerability can be exploited at the factory settings of Drupal for remote code execution.

The issue affects Drupal versions 7.58 and earlier, versions 8.x to 8.3.9, versions 8.4.x to 8.4.6, and versions 8.5.x to 8.5.1. According to Drupal, at the time of its discovery, more than 1 million sites were vulnerable. The exploits for Drupalgeddon2 were developed almost immediately.

A patch for the vulnerability was released a year and a half ago, and webmasters were urged to install it as soon as possible.

However, according to Akamai, attackers still use Drupalgeddon2 to attack large sites.

Larry Cashdollar
Larry Cashdollar

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems – creating a pivot point on the network”, — writes Larry Cashdollar from Akamai.

Cybercriminals exploit the vulnerability with a malicious index.inc.gif GIF file, which is stored on a Brazilian body-surfing site, which was most likely hacked.

Read also: Muhstik Ransomware was hacked. Free keys for 2858 Muhstik victims.

Image contains obfuscated PHP code and archived malware encrypted with base64. The malware is a Perl script that connects to the C&C infrastructure via IRC, has the functions of a remote access Trojan (RAT) and allows for (D) DoS attacks.

Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.
[Total: 0    Average: 0/5]
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

PoC exploit for Android vulnerability

Information security researcher publishes PoC exploit for critical vulnerability in Android

Grant Hernandez, Ph.D. in science at the University of Florida’s Cybersecurity Institute, has published a …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.