Drupal is one of the best CMS for web admins. It’s free, open-source and powerful to perform lots of critical tasks. There are tons of websites that use Drupal as their CMS. Recently, Drupal released patches for a vulnerability in its system known as Drupalgeddon2. It’ll take some time before all the websites are updated to the latest version. Some might even won’t care about upgrading their software. Hackers are taking this opportunity to exploit and use the unpatched systems for themselves.
Very recently, a botnet has started severe exploitation of the Drupalgeddon2 on a large scale. The botnet consists of servers and smart devices. It also acts more like a worm. For your reminder, Drupalgeddon2 is a vulnerability that can allow running codes on the website from the URL. Learn more about Drupalgeddon2.
Botnet attacking Drupal sites
Security researchers from Qihoo 360 Netlab and GreyNoise Intelligence have been keeping a sharp look on the botnet. They spotted the shift of the botnet’s target from other vulnerabilities to Drupalgeddon2. The shift took place at the starting of this week. Netlab team named the botnet as Mushtik as the botnet uses the name in many of its payloads.
Mushtik is developed on top of a really old malware strain Tsunami that’s being used for years for creating botnets to infect Linux servers and other Linux-based systems. The hacker(s) initially used Tsunami for DDoS attacks, but thanks to its feature set, they’ve shifted towards exploiting known vulnerabilities.
According to the security researchers, the Tsunami in Mushtik can install XMRig Monero miner, CGMiner or launch a DDoS attack from the infected hosts. Using these 3 payloads, the crooks are making money for themselves (illegally).
Infected hosts act as a worm
Researchers also added that besides using those 3 payloads, the infected sites also start searching for other sites to find more targets to exploit. That’s performed by a scanning module downloaded by the malware.
The module contacts with a list of different control and command servers to get a list of IP addresses for scanning. It scans the IP addresses on pre-defined ports to identify the systems. After identifying the next potential target, it contacts with the main Mushtik C&C servers about the next target.
This type of behavior is quite common as IoT botnets at the present days. However, Mushtik is the first known one that’s using Drupalgeddon2 in its arsenal. According to GreyNoise, this malware is also actively targeting Oracle WebLogic systems.
GreyNoise has detected a sharp increase in opportunistic exploitation of Oracle WebLogic Server, specifically CVE-2017-10271.
~1,200 devices have suddenly started broadly exploiting this vulnerability by issuing exploit requests to the “/wls-wsat/CoordinatorPortType” URL.
— GreyNoise Intelligence (@GreyNoiseIO) April 18, 2018
How to stay secured
For staying secured, web admins are strongly recommended to upgrade the software of their websites as soon as possible. Drupal released urgent patches for both of their product lines – v7.58 and v8.5.1. Once infected, you may at a severe loss. So, patch your system while there’s still time.