More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago.
When it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal – including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two “well-known computer hardware manufacturers.”
A patch for the critical remote-code execution bug (CVE-2018-7600), has been available since March. Drupalgeddon 2.0 “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities and Exposures bulletin.
Mursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).
I've shared the list of 115,070 vulnerable Drupal sites with @USCERT_gov and @drupalsecurity. Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.
— Bad Packets by Okta (@bad_packets) June 5, 2018
Of those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.
Mursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.
Meanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.
The campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department’s website in Belgium and the Colorado Attorney General’s office.
Coinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive’s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors’ phones, tablets and computers.
I've been monitoring the latest #cryptojacking campaign using upgraderservices[.]cf to inject #Coinhive on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.https://t.co/ukZux5aSuM
— Bad Packets by Okta (@bad_packets) June 5, 2018
Mursch said the US-CERT has been notified of the active campaign.
The cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in May, researchers at Imperva Incapsula found a cryptomining malware dubbed “kitty” targeting servers and browsers open to Drupalgeddon 2.0. Also, a botnet dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.
“This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,” Mursch said. “If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”