Drupalgeddon 2.0 Still Haunting 115K+ Sites

drupal critical vulnerability

More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago.

More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago.

When it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal – including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two “well-known computer hardware manufacturers.”

A patch for the critical remote-code execution bug (CVE-2018-7600), has been available since March. Drupalgeddon 2.0 “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities and Exposures bulletin.

Mursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).

Of those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.

Mursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.

Meanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.

The campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department’s website in Belgium and the Colorado Attorney General’s office.

Coinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive’s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors’ phones, tablets and computers.

Mursch said the US-CERT has been notified of the active campaign.

The cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in May, researchers at Imperva Incapsula found a cryptomining malware dubbed “kitty” targeting servers and browsers open to Drupalgeddon 2.0. Also, a botnet dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.

“This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,” Mursch said. “If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

Suggested articles