Hackers Exploit Drupal Flaw for Monero Mining
22.6.18 securityweek Vulnerebility
Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.
Tracked as CVE-18-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.
The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-18-7600) has been applied.
Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Trend Micro now says they noticed network attacks exploiting CVE-18-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.
The malware adds a crontab entry to automatically update itself and also retrieves and installs a Monero-mining application, a modified variant of the open-source XMRig (version 2.6.3). The use of XMRig is a feature common to most attacks attempting to mine for Monero.
The downloader also checks the target machine to determine whether it is worth compromising.
When executed, the mining application changes its process name to [^$I$^] and accesses the file /tmp/dvir.pid, Trend Micro says.
“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” the security firm notes.
The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider. This IP address is a Tor exit node.
Over the past month, the security firm has blocked 810 attacks coming from this IP address, but cannot confirm that they were all related to the Monero-mining payload or performed by the same actor.
Most of the attacks attempt to exploit the Heartbleed vulnerability (CVE-2014-0160), while others target ShellShock (CVE-2014-6271), a flaw in WEB GoAhead (CVE-2017-5674), and an old memory leak in Apache (CVE-2004-0113).
“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address. Note that these attacks exploit even old Linux or Unix-based vulnerabilities, underscoring the importance of defense in depth,” the security researchers warn.
Patched Drupal installations should be safe from the recent attacks and site admins are advised to apply the available patches as soon as possible, to ensure their systems remain secure.