The critical vulnerability fixed in a Drupal content management system a year and a half ago is still actively used in cyberattacks on large websites. This is a vulnerability called Drupalgeddon2 (CVE-2018-7600), discovered in March 2018.This vulnerability can be exploited at the factory settings of Drupal for remote code execution.
The issue affects Drupal versions 7.58 and earlier, versions 8.x to 8.3.9, versions 8.4.x to 8.4.6, and versions 8.5.x to 8.5.1. According to Drupal, at the time of its discovery, more than 1 million sites were vulnerable. The exploits for Drupalgeddon2 were developed almost immediately.
A patch for the vulnerability was released a year and a half ago, and webmasters were urged to install it as soon as possible.
However, according to Akamai, attackers still use Drupalgeddon2 to attack large sites.
“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems – creating a pivot point on the network”, — writes Larry Cashdollar from Akamai.
Cybercriminals exploit the vulnerability with a malicious index.inc.gif GIF file, which is stored on a Brazilian body-surfing site, which was most likely hacked.
Image contains obfuscated PHP code and archived malware encrypted with base64. The malware is a Perl script that connects to the C&C infrastructure via IRC, has the functions of a remote access Trojan (RAT) and allows for (D) DoS attacks.
User Review( votes)