News

Drupalgeddon2 vulnerability, fixed a year and a half ago, still used in cyberattacks

The critical vulnerability fixed in a Drupal content management system a year and a half ago is still actively used in cyberattacks on large websites. This is a vulnerability called Drupalgeddon2 (CVE-2018-7600), discovered in March 2018.

This vulnerability can be exploited at the factory settings of Drupal for remote code execution.

The issue affects Drupal versions 7.58 and earlier, versions 8.x to 8.3.9, versions 8.4.x to 8.4.6, and versions 8.5.x to 8.5.1. According to Drupal, at the time of its discovery, more than 1 million sites were vulnerable. The exploits for Drupalgeddon2 were developed almost immediately.

A patch for the vulnerability was released a year and a half ago, and webmasters were urged to install it as soon as possible.

However, according to Akamai, attackers still use Drupalgeddon2 to attack large sites.

Larry Cashdollar

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems – creating a pivot point on the network”, — writes Larry Cashdollar from Akamai.

Cybercriminals exploit the vulnerability with a malicious index.inc.gif GIF file, which is stored on a Brazilian body-surfing site, which was most likely hacked.

Read also: Muhstik Ransomware was hacked. Free keys for 2858 Muhstik victims.

Image contains obfuscated PHP code and archived malware encrypted with base64. The malware is a Perl script that connects to the C&C infrastructure via IRC, has the functions of a remote access Trojan (RAT) and allows for (D) DoS attacks.

Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

2 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

2 days ago