Attackers are exploiting a three-month-old critical vulnerability in Drupal to compromise systems and secretly turn them into malicious cryptocurrency mining machines.
Drupal's content management software is a popular tool for building websites, but this popularity, combined with the critical vulnerability (dubbed 'Drupalgeddon 2' by some), means that attackers have found a way to make a profit.
The vulnerability is being used to deliver cryptojacking malware, which quietly uses the power of the Drupal user's machine to mine for Monero, depositing it into wallets run by the attackers. The only side effects a victim might notice is that their system is running slower, or the fan is doing more work than usual. The secretive nature of cryptojacking has helped bolster its popularity among attackers during the course of the year.
The CVE-2018-7602 remote code execution vulnerability affecting Drupal enables attackers to modify or delete content of Drupal-run sites. The security hole was patched on April 25, but large numbers of users seemingly haven't yet applied the patch, as Trend Micro researchers have spotted the vulnerability being used to deliver a coin miner.
The researchers note that this particular attack uses interesting techniques, including hiding behind the Tor network to evade detection. The malware also checks to see whether a previous miner is running on the system before installing the payload via a series of shell scripts and executables.
As well as hiding behind the Tor network, the attacker or attackers are also using a virtual private network (VPN) in an effort to hide their tracks, but there is a linked IP address. Researchers say there have been hundreds of attempts to conduct attacks via this IP over the last month, although not all involve the Drupal vulnerability: some are related to the Heartbleed vulnerability.
There's no indication as to the exact number of cryptojacking attacks that have been conducted using the Drupal vulnerability, but it serves to remind organisations that they should be patching vulnerabilities -- especially those deemed critical -- in order to protect against attacks.
"Patching and updating the Drupal core fixes the vulnerability that this threat exploits. Drupal's security bulletin provides guidelines on fixing the vulnerability, especially for those that still use unsupported versions of Drupal," said the Trend Micro blog post.
While cryptojacking is a form of malware, for the most part it's a nuisance rather than a dangerous threat. However, Trend Micro's researchers warn that leaving Drupal unpatched could lead to more dangerous threats.
"A single vulnerability in a website or application could cause a data breach or outage," they said.
READ MORE ON CYBER CRIME
- This cryptocurrency mining malware also disables your security services
- How to stop websites from using your computer to mine Bitcoin (and more) (CNET)
- Ransomware, stolen data or malware: How do online crooks really make their money?
- Nearly 50K websites infected with cryptocurrency mining malware, research finds (TechRepublic)
- Cyber threat intelligence versus business risk intelligence: What you need to know