Drupalgeddon2 vulnerability, fixed a year and a half ago, still used in cyberattacks

The critical vulnerability fixed in a Drupal content management system a year and a half ago is still actively used in cyberattacks on large websites. This is a vulnerability called Drupalgeddon2 (CVE-2018-7600), discovered in March 2018.

This vulnerability can be exploited at the factory settings of Drupal for remote code execution.

The issue affects Drupal versions 7.58 and earlier, versions 8.x to 8.3.9, versions 8.4.x to 8.4.6, and versions 8.5.x to 8.5.1. According to Drupal, at the time of its discovery, more than 1 million sites were vulnerable. The exploits for Drupalgeddon2 were developed almost immediately.

A patch for the vulnerability was released a year and a half ago, and webmasters were urged to install it as soon as possible.

However, according to Akamai, attackers still use Drupalgeddon2 to attack large sites.

Larry Cashdollar
Larry Cashdollar

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems – creating a pivot point on the network”, — writes Larry Cashdollar from Akamai.

Cybercriminals exploit the vulnerability with a malicious index.inc.gif GIF file, which is stored on a Brazilian body-surfing site, which was most likely hacked.

Read also: Muhstik Ransomware was hacked. Free keys for 2858 Muhstik victims.

Image contains obfuscated PHP code and archived malware encrypted with base64. The malware is a Perl script that connects to the C&C infrastructure via IRC, has the functions of a remote access Trojan (RAT) and allows for (D) DoS attacks.

Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.