Drupalgeddon 2

A botnet made up of servers and smart devices has begun the mass exploitation of a severe Drupal CMS vulnerability and is using already compromised systems to infect new machines, in a worm-like behavior.

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.

Muhstik botnet starts attacking Drupal sites

Qihoo 360 Netlab researchers, along with experts from GreyNoise Intelligence, have spotted the shift in this botnet's activity from various other exploits to the Drupalgeddon 2 vulnerability at the start of the week. The Netlab team has started referring to this botnet as Muhstik, based on the term used in many of its payloads.

At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.

Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.

The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

Infected Drupal sites used to scan for other vulnerable servers

But besides these three payloads, experts say that immediately after infecting a Drupal site, the malware also downloads a scanning module.

This module contacts a totally different set of command and control servers than the regular Muhstik ones, gets a list of IP addresses, and starts scanning for vulnerable systems.

Muhstik scans these IPs on predefined ports, attempting to identify new systems, may them be servers or smart devices, to infect:

80: Weblogic, Wordpress, Drupal, WebDav, ClipBucket  
2004: Webuzo  
7001: Weblogic  
8080: Wordpress, WebDav, DasanNetwork Solution

Once new victims have been identified, the infected host tells one of the main Muhstik C&C servers about potentially new hosts to infect, by sending a request to a specific URL.

This type of design is very common with most IoT botnets these days, but Muhstik appears to be the first one who added the Drupalgeddon 2 vulnerability to its arsenal.

Besides the mass-exploitation of the Drupalgeddon 2 flaw, GreyNoise also reports that this botnet has increased its activity of targeting Oracle WebLogic systems as well.

With such a major player like Muhstik now exploiting the Drupalgeddon vulnerability, it's only a matter of time until other botnets get on board. Cybercrime is more of an imitation game than anything else.

The Drupal security team patched Drupalgeddon2 on March 28 with the release of Drupal 7.58 and Drupal 8.5.1. Drupal site owners should update to these versions (or newer) to avoid having their sites and servers taken over by cyber-criminals.

Related Articles:

New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose

Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector

Dramatic Increase of DDoS Attack Sizes Attributed to IoT Devices

Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems

DHS Warns of Cybersecurity Threats to Agriculture Industry