Drupal sites can be hacked by any visitor because of the code-execution bug

by Gabriel E. Hall - - 2018-05-01

Drupal hacked for the second time in one month. Patch vulnerabilities immediately

Drupal hack turns millions of sites vulnerable to hack

It seems that websites are getting more and more vulnerable to cyber attacks.^[1] Drupal, a free and open source content management framework, written in PHP and spread under General Public License, has been hacked for the third time within 30 days.

This back-end framework is currently used for more than 2.3% of all the web, composing more than 1.3 million members. Now, Drupal's support team is actively spreading a warning to Drupal site admins urging to patch the core vulnerability SA-CORE-2018-004 (CVE-2018-7602) and SA-CORE-2018-002^[2] (CVE-2018-7600) to protect against the hack.

An overview of both Drupal flaws

At the end of March, many sites running Drupal 8, Drupal 7, and Drupal 6 have been hacked after hackers exploited the CVE-2018-7600 bug called Drupalgeddon2. According to cyber researchers, about a million of sites were running the affected versions.

The hack has been marked as “highly critical” scoring 21 out of 25 under the NIST Common Misuse Scoring System. The Drupal's team released a patch for a quick fix immediately, though it was either poorly developed or people failed to install it.

It turned out that the CVE-2018-7600 vulnerability could have allowed hackers to take over vulnerable websites, as well as create malware backdoors to inject crypto-miners.^[3]

Less than a month after the initial exploitation of Drupal vulnerability, the second attack against sites running Drupal versions 8 and 7 have been revealed. The critical vulnerability SA-CORE-2018-004 assigned as CVE-2018-7602 has been exploited by criminals allowing them to take full control over website's server leading to complete website's corruption or data loss. As explained by the Drupal security team,^[4]

It is a remote code execution vulnerability. No more technical details beyond that are available.

The difference between the two bugs, one patch in March 2018 and the other revealed only recently, is that the CVE-2018-7602, the latest one, can result in complete website's takeover.

Drupal security team says no exploits have been found

While sites running Drupal versions 8, 7, and 6 are at the risk of being exploited and hacked, the Drupal content-management framework claims that there were no active exploitation cases detected.

In fact, the same was said about the Drupalgeddon2 flaw, which was supposedly patched before crooks taking actions. However, soon after the patch, security firms found out that the vulnerability resulted in diminished system's resistance to malware. As pointed out by Check Point, the CVE-2018-7600 might be exploited with an intention to open the backdoors to cryptocurrency miners and other malware.^[5]

This fact was proved by the SANS Internet Storm Center, which revealed the flaw being actively used for allocating Monero miner related to XMRig, a PHP backdoor, as well as an IRC bot written in Perl.

Thus, even though Drupal claims they haven't received any reports of the CVE-2018-7602 exploits, we believe that its a matter of time for the sites to get hacked.

Upgrade Drupal 7 or 8 core to prevent your site from being hacked

There's no other way to protect your site using Drupal to the latest version available. The users of Drupal 6 are urged to upgrade to the versions 7 or 8 since the version 6 is no longer officially supported, meaning it does not get security patches anymore.

Admins should download the official patches directly from Drupal's website. Do not fall for installing the updates from third-party download sources as you might download malware instead.

– If you are running 7.x, you should upgrade to Drupal 7.59;
– If you are running 8.5.x, upgrade to the latest version if 8.5.3;
– If you are running 8.4.x, update your site to 8.4.8 and the upgrade to the latest 8.5.3. Note that 8.4.x is no longer supported.

Drupal's support team has also created a post saying Your Drupal site got hacked. Now what?^[6] It can be accessed by clicking this link or visiting the official website. The admins are instructed on how to remove malware from their sites, as well as explicit explanation of the attack and the consequences it may have.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Lucia Danes. KCW is a crypto-ransomware virus encrypting web files. 2-Spyware. Virus and Spyware news.
^ Drupal Security Team. Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002. Drupal. Official website.
^ Lucian Constantin. Hackers Exploit Drupal Vulnerability to Install Cryptocurrency Miners. Security Boulevard. Producers of leading technology communities.
^ Drupal Security Team. Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004. Drupal. Official website.
^ Mohit Kumar. Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners. The Hacker News. IT related news.
^ Drupal Security Team. Your Drupal site got hacked. Now what?. Drupal. Official website.