Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware

The update was deemed critical, but users who haven't applied the patch are being targeted by attackers deploying cryptocurrency miners.
Written by Danny Palmer, Senior Writer

Attackers are exploiting a three-month-old critical vulnerability in Drupal to compromise systems and secretly turn them into malicious cryptocurrency mining machines.

Drupal's content management software is a popular tool for building websites, but this popularity, combined with the critical vulnerability (dubbed 'Drupalgeddon 2' by some), means that attackers have found a way to make a profit.

The vulnerability is being used to deliver cryptojacking malware, which quietly uses the power of the Drupal user's machine to mine for Monero, depositing it into wallets run by the attackers. The only side effects a victim might notice is that their system is running slower, or the fan is doing more work than usual. The secretive nature of cryptojacking has helped bolster its popularity among attackers during the course of the year.

The CVE-2018-7602 remote code execution vulnerability affecting Drupal enables attackers to modify or delete content of Drupal-run sites. The security hole was patched on April 25, but large numbers of users seemingly haven't yet applied the patch, as Trend Micro researchers have spotted the vulnerability being used to deliver a coin miner.

SEE: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

The researchers note that this particular attack uses interesting techniques, including hiding behind the Tor network to evade detection. The malware also checks to see whether a previous miner is running on the system before installing the payload via a series of shell scripts and executables.

As well as hiding behind the Tor network, the attacker or attackers are also using a virtual private network (VPN) in an effort to hide their tracks, but there is a linked IP address. Researchers say there have been hundreds of attempts to conduct attacks via this IP over the last month, although not all involve the Drupal vulnerability: some are related to the Heartbleed vulnerability.

There's no indication as to the exact number of cryptojacking attacks that have been conducted using the Drupal vulnerability, but it serves to remind organisations that they should be patching vulnerabilities -- especially those deemed critical -- in order to protect against attacks.

"Patching and updating the Drupal core fixes the vulnerability that this threat exploits. Drupal's security bulletin provides guidelines on fixing the vulnerability, especially for those that still use unsupported versions of Drupal," said the Trend Micro blog post.

While cryptojacking is a form of malware, for the most part it's a nuisance rather than a dangerous threat. However, Trend Micro's researchers warn that leaving Drupal unpatched could lead to more dangerous threats.

"A single vulnerability in a website or application could cause a data breach or outage," they said.


Editorial standards