An exploit found in popular content management system (CMS) Drupal that makes it trivially easy for attackers to execute arbitrary code is still causing massive amounts of trouble three months after being discovered.
As reported by researchers from Malwarebytes Labs, the attack known as Drupalgeddon 2 has infected over 900 websites with malware, primarily in the form of cryptominers that max out visitor CPUs in order to mine cryptocurrency.
While many infected websites simply appear to test domains set up and abandoned on Amazon Web Services, many legitimate sites are infected, including high-profile pages operated by the Arkansas state government and the University of Southern California.
A full list of infected websites can be found here, and anyone running an outdated version of Drupal should check to be sure they aren't listed. Just because your website isn't listed doesn't mean its administrators are off the hook: Security researcher Troy Mursch said that the number of vulnerable websites is greater than 115,000, leaving plenty of internet real estate left to infect.
The anatomy of a Drupal disaster
It makes sense that a remote code execution vulnerability would go unresolved for so long on a Drupal website, at least from the perspective of Jérôme Segura of Malwarebytes Labs. "Updating or upgrading Drupal may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production," Segura said in a Malwarebytes Labs blog post.
The frustration and extra work that come with a CMS upgrade is well known to anyone who works with one, so it makes sense that updates would be avoided until absolutely necessary. Unfortunately for those still running Drupal versions older than 7.5.9, this is one of those instances.
Outdated versions of Drupal seem commonplace—Malwarebytes Labs even reported that 30% of those infected by Drupalgeddon 2 were running some version of Drupal 7.3, which was last updated in 2015.
As reported by TechRepublic when Drupalgeddon 2 was first revealed in March 2018, "The vulnerability relates to a conflict between how PHP handles arrays in parameters, and Drupal's use of the hash (#) in at the beginning of array keys to signify special keys that typically result in further computation, leading to the ability to inject code arbitrarily."
An attacker has no need to authenticate with Drupal to perform the exploit—they just have to visit a page with a maliciously crafted URL.
This isn't the first time that a widespread exploit has been successful due to the failure of IT to install needed security updates: Perhaps the most well-known incident to happen due to similar causes was the GoldenEye/Peyta outbreak in 2017.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
That's just a single example, and it isn't the only one. Ransomware proliferates largely due to unpatched systems, and the US Government even released a report saying that botnets are successful in part due to exploiting known vulnerabilities.
There's no excuse for this kind of attack: The vulnerability is known and its patch is available. Yes, installing it might be a headache and necessitate more work, but as has been stated before, taking the effort to patch now will prevent your having to recover later.
You can get the latest versions of Drupal here.
Update June 8: The Drupal security team said in a statement that the attack isn't as widespread as initially reported: "the source investigated the contents of CHANGELOG.txt of a large number of sites and assumed all sites reporting a version lower than 7.58 to be vulnerable."
"Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector. Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere," Drupal said, adding that the researchers drew their conclusions from insufficient data and Drupal does not believe the number of infected sites or at-risk servers to be as large as stated by others.
The big takeaways for tech leaders:
- A three-month-old Drupal exploit has spread to over 900 websites, infecting them with cryptominers and other malware.
- A patch for the vulnerability has been available since March 2018. Drupal administrators need to update to the latest version now to prevent becoming a victim of this "trivially easy" exploit.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Update Drupal ASAP: Over a million sites can be easily hacked by any visitor (ZDNet)
- Drupal admins: Get ready for emergency out-of-band patch for critical vulnerability (TechRepublic)
- Hello Kitty: Malware targets Drupal to mine for cryptocurrency (ZDNet)
- The common problem with Drupal, Joomla, and Xoops (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.