A year after patch, Drupalgeddon2 is still being employed in cybercriminal attacks

The remote code execution bug is being used in attacks against high-profile websites.

Cybersecurity: Clicking email links could put your data at risk Social engineering is by far the biggest factor in malicious hacking campaigns, warn researchers – so how can it be stopped?

A remote code execution (RCE) vulnerability patched over a year and a half ago is still being actively employed in attacks against high-profile websites. 

According to cybersecurity researchers from Akamai, the bug, which impacts the open source Drupal content management system (CMS) used to manage websites, is being exploited through malicious .GIF files. 

Drupalgeddon2 is tracked as CVE-2018-7600 and is a vulnerability first discovered in March 2018. Issued a CVSS v3.0 base score of 9.8 and CVSS v2.0 base score of 7.5, the security flaw can be triggered remotely on default and common Drupal installations, potentially leading to RCE, data theft, and website hijacking.

See also: WhiteShadow downloader uses Microsoft SQL queries to deliver malicious payloads

The vulnerability impacts Drupal CMS versions 7.58 and below, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. At the time of discovery, Drupal estimated that over one million websites were vulnerable. Exploits for Drupalgeddon2 were developed in a matter of days. 

A patch was issued over a year and a half ago and Drupal owners were urged to quickly update to new, unaffected versions. However, it seems that not every webmaster followed this advice. 

On Monday, Akamai said the vulnerability is being leveraged through a .GIF file against a "random assortment of high profile websites."

CNET: Iranian hackers targeted a US presidential campaign, Microsoft says

Drupalgeddon2's image file, index.inc.gif, is being hosted on a Brazilian bodysurfing website which appears to have been hijacked. The image file contains obfuscated PHP code and malware packages which are base64 encoded. 

Once launched at vulnerable domains, the bug is used to deploy malware capable of scanning local files for credentials, sending emails containing stolen access details to attackers, and replacing .htaccess files. In addition, malicious code will attempt to display MySQL my.cnf configuration files. 

A second piece of malware found in the image file is a Perl script, widely shared in the underground, which contains denial-of-service (DoS) and Remote Access Trojan (RAT) functionality. 

TechRepublic: Black Hat 2019: Monitoring network operations and managing digital risks

No matter how elderly a vulnerability is -- especially considering that some used in active attack campaigns are over a decade old -- if it is likely unpatched systems exist, they will be abused. 

In cases such as Drupalgeddon2, the team says, its simple and remote exploit ensures that attackers will automate scans and attacks on "poorly maintained and forgotten systems."

"This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems -- creating a pivot point on the network," Akamai says. "Maintaining patches in a timely fashion, as well as properly decommissioning servers if they're no longer being used is the best preventative measure."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0