Hackers have launched a new type of attack against Drupal site owners in the past several days, Imperva researchers have told ZDNet.
Through these recent attacks, hackers aim to gain a foothold on servers, elevate their access to a root account, and then install a legitimate SSH client so they can log into the hijacked servers at later dates.
To achieve their goals, hackers have been using two well-known exploits, one of them discovered way back in 2016.
How the attack takes place
According to Imperva, the first steps in this attack begin with hackers mass-scanning the Internet for websites running an outdated version of the Drupal website manager (CMS) that was not patched against the Drupalgeddon 2 vulnerability that came to light this year, in March.
When they identify one of these vulnerable sites, hackers deploy a Drupalgeddon 2 exploit to get a limited foothold on infected sites.
They later use this foothold to search through the Drupal site's local configuration files for database credentials.
If the database connection settings include an account with the name "root," they try that account's credentials for the server itself, in the hope of gaining root access to the site's underlying server.
However, if this fails, hackers move to deploy a second exploit named Dirty COW, which is for an eponymous vulnerability discovered in 2016 that lets hackers elevate their access from a limited user account to root access.
Hackers go through all these steps because they need access to a root account in order to install a legitimate SSH daemon on the server, which Imperva believes they need to connect to the server and run other operations.
Dozens of attacks already detected
Nadav Avital, Threat Analytics Manager at Imperva, told ZDNet earlier today in an interview that the company's web firewall has already "protected dozens of sites from infection."
"Since all of the attacks were detected and blocked by Imperva we cannot fully determine the attackers end goal," Avital told us. "Having said that, in one of our latest reports we found that almost 90% of such attacks are attempting to install a crypto-mining malware."
But these attacks could be much bigger in scope besides the "dozens" of sites where Imperva has blocked exploitation attempts. This is because most web servers already have an SSH daemon running, and hackers wouldn't need to go through the full exploitation scenario.
Taking into account that this attack relies on exploiting two very well-known vulnerabilities for which patches have been made available a long time ago, website and server owners can easily make sure they're immune to such attacks by updating Drupal and their Linux servers.
Avital, in particular, warns about updating the Drupal CMS, the point of entry of these hacks. The researcher says Drupal sites have remained under a constant assault, even if the Drupalgeddon 2 vulnerability came to light over six months ago, and attacks should have abated as site owners updated their CMSs. Unfortunately, this wasn't so.
"Considering [...], the lethargic pace of patching, the severity of the vulnerability and the fact that many of the hacking tools incorporated this attack, results in huge amount of attacks," Avital told ZDNet. "Even today Drupalgeddon is one of the most popular attack vectors hackers are trying to use."
More security news:
- Popular Dark Web hosting provider got hacked, 6,500 sites down
- AWS rolls out new security feature to prevent accidental S3 data leaks
- Zero-day in popular WordPress plugin exploited in the wild to take over sites
- Access data for 70% of top US & EU websites sold on the dark web TechRepublic
- Most ATMs can be hacked in under 20 minutes
- Researchers find stolen military drone secrets for sale on the dark web CNET
- DOD disables file sharing service due to 'security risks'
- Card skimming malware removed from Infowars online store
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7