New Attacks Targeting Drupal Websites

A new attack methodology has been identified which involves the Dirty COW and Drupalgeddon 2 vulnerabilities present in unpatched Drupal web servers. A remote attacker can exploit this by persistently infecting vulnerable servers, which can result in the compromise of user machines.

Attackers have been observed to be scanning for websites that are running an outdated version of the Drupal website manager. Once a vulnerable site is identified, a Drupalgeddon 2 exploit can be used to gain initial access, which can allow an attacker to search the site’s local configuration files for database credentials. If there is a root account present in the database connection settings, root access can be achieved if the credentials match those of the server. However, if this doesn’t work, the Dirty COW vulnerability can be exploited to allow an attacker to escalate their privileges from a limited user account to root access. After root access has been instated, a legitimate SSH client can be installed on the web server.

At the time of publication, it is unknown why attackers are targeting Drupal web servers. It is likely that they are attempting to establish a method of logging in to the servers for future malicious purposes.

Affected Platforms:

• Linux Core Kernel – Version 2.6.22 and later
• Drupal – Versions 8, 7 and 6

Users and administrators are encouraged to review Linux Kernel Changelog 4.8.3 and apply the necessary updates.

Additionally:

• Users and administrators are encouraged to review Drupal’s Security Advisory and update to versions 7.58 or 8.5.1