Application Security , Finance & Banking , Fraud Management & Cybercrime

Cryptocurrency Miners Exploit Latest Drupal Flaw

Patch Now to Block Remote Code Execution Exploits of Content Management System
Cryptocurrency Miners Exploit Latest Drupal Flaw
Here's what a Drupal hack looks like: An attacker can exploit a Drupal flaw by using a POST command to submit a specially crafted link, even if the user is not authenticated, to remotely execute arbitrary code. (Source: Trend Micro)

Hackers wasted little time before trying to turn a "highly critical" vulnerability in the Drupal content management system to their advantage.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

Just three days after Drupal warned of the vulnerability and issued patches, attackers began exploiting the flaw to install cryptocurrency miners and other malicious software on vulnerable sites, security experts warn (see: Hackers Target Fresh Drupal CMS Flaw to Infiltrate Sites).

"We've found dozens of attack attempts aimed at dozens of websites that belong to our customers using this exploit, including sites in government and the financial services industry," Edi Kogan, a researcher at security firm Imperva, says in a blog post.

"There were a few interesting payloads in the most recent attacks," he adds. "One payload tries to inject a JavaScript cryptocurrency - monero and webchain - miner named CoinIMP into an attacked site's index.php file so that site visitors will run the mining script when they browse the site's main page, for the attacker's financial benefit."

Here's CoinIMP's client-side embedded script, which uses a key that's 64 characters in length. When used by an attacker, the attacker generates a key, using the CoinIMP control panel, and includes this key in their maliciously deployed mining script to receive they receive any cryptocurrency-mining proceeds. (Source: Imperva)

The index.php file is what gets first loaded whenever someone visits a website. Cryptocurrency mining malware, meanwhile, refers to any code that uses an infected system's CPUs to "mine" for cryptocurrency by solving computational challenges that build the virtual currency's blockchain in return for a potential reward (see: Malware Moves: Attackers Retool for Cryptocurrency Theft).

Critical Security Fixes

On Feb. 20, the project team behind the Drupal open source CMS software released security updates, warning that they patch a vulnerability, designated CVE-2019-6340, that attackers could use to remotely execute code and potentially take full control of a vulnerable system.

These "critical releases" update Drupal 8.6.x to Drupal 8.6.10, and Drupal 8.5.x or earlier to Drupal 8.5.11.

The Drupal project team recommends that all users immediately apply the updates. "Be sure to install any available security updates for contributed projects after updating Drupal core," the Drupal team says. "No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates."

Many Drupal users will need the update because the flaw exists in web services functionality. "The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module," Branden Lynch, a threat analyst at security firm Trend Micro, says in a blog post.

A proof-of-concept exploit for the flaw was first published on Thursday.

Researchers say the flaw is easy to exploit. "An attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the 'options' field for the link," Lynch says.

The link can be used to execute any command, "including downloading a web shell or establishing persistence on the target via malware or other means," he says. "All executed commands will inherit the privileges of the user running Drupal."

Mitigation Warning: Workarounds Aren't Foolproof

Lynch cautions that the exploit continues to work even for sites that have yet to install updates but have applied Drupal's recommended workarounds to at least mitigate the flaw. Those workarounds involve disabling all web services modules or else configuring services to not allow PUT, PATCH or POST requests to web services resources.

Even with such mitigations in place, "it is still possible to issue a GET request and therefore perform remote code execution, as was the case with the other HTTP methods," he warns.

Some other types of defenses, such as using web application firewalls, can block these types of attacks, he adds.

On Friday, less than 48 hours after Drupal released its latest security updates, independent security researcher Troy Mursch of Bad Packets Report warned that he had already seen numerous attackers scanning for Drupal sites that were vulnerable to CVE-2019-6340.

Popular Hacking Target

Following WordPress and Joomla, Drupal is the world's third most popular content management system, commanding 4 percent market share, according to

More than 1 million websites use Drupal, according to the Drupal project team.

Given Drupal's wide installation base, Imperva's Kogan says the CMS remains a popular attack target. "As always, attacks followed soon after the exploit was published. So being up to date with security updates is a must," he says.

Attacks against Drupal have been escalating in recent years, reaching a peak in 2018 after vulnerabilities with such names as DirtyCOW and Drupalgeddon 1, 2 and 3 were revealed (see: Websites Still Under Siege After 'Drupalgeddon' Redux).

"These were used in mass attacks that targeted hundreds of thousands of websites," Kogan says.

Mursch of Bad Packets Report say attackers are continuing to scan not just for the latest vulnerability, but also older flaws, suggesting that numerous site administrators have yet to apply them.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.