Logo

DOSarrest Vulnerability Testing and Optimization
Navigation
  • Home

IoT botnet actively exploiting Drupal CMS bug

on April 24, 2018 |
DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense Defend Against DDoS

Botnet uses compromised systems to spread infection. Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.

Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.
According to a blog post by researchers at Qihoo 360 Netlab, bots have been scanning for systems with the  CVE-2018-7600 vulnerability, AKA Drupalgeddon 2 bug. The vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.
Researchers said that scanning started on 13 April this year and they believed that at least three groups of malware campaigns are exploiting this bug. One group has worm-propagation behaviour and was dubbed Muhstik, as this name kept appearing in binary file names and a communications IRC channel. The malware is also an update of the Tsunami malware that has been used in the past to infect tens of thousands of Unix and Linux servers since 2011.
They said that Muhstik uses the following two sets of attack payloads, which contributes around 80 percent of all the payloads observed. The botnet can install multiple malicious payloads, including cryptocurrency miners (such as the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency) and software to launch DDoS attacks. The botnet uses 11 separate command-and-control domains and IP addresses to keep online as much as possible. It also uses the IRC protocol to communicate sending different instructions via different channels.
Muhstik is also exploiting flaws in other applications such as Webdav, WebLogic, Webuzo, and WordPress. It scans ports 80, 8080, 7001, and 2004.The worm propagates by scanning for susceptible server apps and searching servers for weak secure-shell, or SSH, passwords.
The security team at Drupal patched up Drupalgeddon2 last month when it released Drupal 7.58 and Drupal 8.5.1. Sites running the CMS have been advised to update to these versions as soon as possible.
Dr Kevin Curran, senior IEEE member and professor of Cyber-security at Ulster University, told SC Media UK that we are likely to see other Content Management Systems compromised in the future, in part, simply due to their popularity.
“Hackers have accumulated many CMS vulnerabilities and there exists a host of CMSs which have neglected to update to more secure versions – thus leaving them susceptible to these well known flaws. Weak admin passwords can also be brute forced. The other main weakness in CMSs which lead to hacks is the plugin ecosystem. Here there are, again, well known attacks in the wild for plugins which also lead to full system hack,” he said.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that the good news about the Drupal CVE-2018-7600 vulnerability is that it isn’t a zero-day because there are already patches available. “If you’ve applied the patches, you can’t be exploited. The bad news is that if you haven’t patched, or if you think you’ve patched but didn’t do it properly, then it might as well be a zero-day, because the crooks can and will attack you. Don’t make yourself an easy target: patch early, patch often!” he said.
Source: https://www.scmagazineuk.com/iot-botnet-actively-exploiting-drupal-cms-bug/article/760331/
Share this story:
  • tweet

Recent Posts

  • Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

    July 15, 2021 - 0 Comment
  • A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

    June 16, 2021 - 0 Comment
  • ‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

    June 12, 2021 - 0 Comment
Comments are closed.
DOSarrest ad

Keep updated with the latest DDoS Attacks

RSSSubscribe
  • Home
  • Latest News
  • Contact
  • Sitemap
© Copyright 2013. All Rights Reserved. Web Development by: 6folds Marketing