It took hackers only three days to start exploiting latest Drupal bug

Publication of exploit code helped hackers get Drupal attacks off the ground.
Written by Catalin Cimpanu, Contributor

Three days --that's the time it took hackers to start launching attacks against Drupal sites using an exploit for a security flaw the CMS project patched last week.

The attacks, detected by web firewall firm Imperva, tried to take advantage of yet-to-be-patched Drupal sites and plant a JavaScript cryptocurrency miner called CoinIMP on vulnerable sites.

The coin-mining script, which works similarly to the more famous Coinhive, would have used the browsers of all site visitors to mine the Monero cryptocurrency for the hackers.

The attacks began on Saturday, February 23, according to Imperva, three days after the Drupal project patched a vulnerability tracked as CVE-2019-6340, and two days after proof-of-concept (PoC) exploit code became widely available online on different sites [1, 2].

Imperva says the hundreds of attacks it detected used one of the PoCs as a base for its exploitation routine, proving once again that releasing proof-of-concept code is mostly helping attackers rather than site owners.

Drupal CVE-2019-6340 exploit attempts
Image: Imperva

The attacks trying to exploit CVE-2019-6340 to plant cryptominers aren't unique. The Drupal content management system (CMS) received two major patches last year for two vulnerabilities named Drupalgeddon 2 (CVE-2018-7600) and Drupalgeddon 3 (CVE-2018-7602).

Similar to last week's events, security researchers who analyzed the two flaws last year published PoC code that helped attackers launch attacks within days. Just like last week, cryptominers were their go-to payload [1, 2].

But while the Drupalgeddon 2 and Drupalgeddon 3 flaws affected the vast majority of Drupal sites, the good news is that last week's bug --CVE-2019-6340-- only affects Drupal 8 sites and not the more popular and widespread Drupal 7 version.

There are roughly 63,000 Drupal 8 sites around, Troy Mursch, co-founder of Bad Packets LLC, told ZDNet. Furthermore, only Drupal 8 sites where a certain combination of modules is enabled, are vulnerable, meaning that very few of these are actually vulnerable, Mursch said.

All in all, while the Drupalgeddon 2 vulnerability took months to patch and was exploited as late as last fall, this new bug doesn't look like it will be exploited more than a few days until hackers realize they're wasting their time.

With an estimated number of vulnerable sites sitting in the hundreds or low thousands out of 1.2 million total number of Drupal sites, this is a minuscule attack surface that won't entice that many hacker groups going forward.

WordPress 5.0 is out. Here's a tour of the new features!

Related cybersecurity news coverage:

Editorial standards