Monero Mining Strikes Again: Drupal Systems at Risk
On July 23, 2018, cybersecurity website Security Intelligence reported that several companies and software users remain susceptible to the infamous “Drupalgeddon virus,” despite Drupal Security Labs releasing a software patch in March 2018 to fight the vulnerability.
Virus Deploying Monero Miner
As stated in the report, the erstwhile named CVE-2018-7600, or “Drupalgeddon 2,” was found and patched by security researchers who later discovered the “CVE-2018-7602” vulnerability, which could deliver illicit cryptocurrency mining malware software to victim computers.
Founded in 2000, the open-source Drupal content management system is used by millions of users around the world, primarily by e-commerce and content management firms. While cyber attacks have infiltrated its protocol on numerous occasions, the CVE-2018-7602 virus was the first instance of a cryptocurrency-centric criminal assault.
Due to an obscurity of relevant security patches, site owners and administrations were gravely affected until the virus was found and patched by Drupal’s security experts. However, it is now known that several companies did not implement the required patch at the time, creating an adverse situation for themselves in recent times.
Virus Mechanism
After infiltrating victim computers and hijacking their computing power, the CVE-2018-7602 virus mines Monero (XMR), the privacy-centric cryptocurrency.
XMR is a hacker’s favorite cryptocurrency: More than 85 percent of all crypto-jacking cases involve the digital asset and hackers have stolen over $175 million worth of XMR in 2018 alone.
To execute the attack, cybercriminals utilize a remote code execution, known to affect Drupal versions seven and eight. As stated on Trend Micro in June, the virus attack commences with a “shell script” download, followed by an “Executable and Linkable Format downloader to add a crontab entry.”
Hackers circumvent embedded security protocols to install mining malware, exploiting Drupal’s lack of “input sanitization of # characters in URLs.”
Furthermore, bad actors use Tor routers to hide their activity. While attempting to trace the attack to its initiator, researchers found the trail’s endpoint was an IP address registered as a Tor exit node.
The virus makes use of HTTP 1.0 POST to return data to the hacker’s servers, effectively bypassing commonly used HTTP 1.1 or higher updates used by organizations. Hence, the virus is not flagged as “criminal” or suspicious by business centers.
“Highly Critical” Rating
As stated in the report, Drupal rates the nefarious cryptocurrency mining virus as “highly critical” for organizations, giving it a score of 20 out of 25. In addition to “cryptojacking,” hackers can use the flaw to control multiple Drupal sites and install distributed denial-of-service (DDoS) malware for long-term software backdoor access.
To avoid such attacks and prevent any mishaps, BTCManager appeals its readership to double-check if the latest Drupal patches are deployed on their system, should they be using the software. Additionally, checking for unusual CPU usage and the faster spinning of fans is a sign of a compromised computer, as is with any instance of cryptojacking.
