U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Crooks exploit CVE-2018-7602 Drupal flaw, aka Drupalgeddon3 to deliver Monero miner

Crooks are attempting to exploit a recently patched Drupal vulnerability, tracked as CVE-2018-7602, to drop Monero mining malware onto vulnerable systems. The CVE-2018-7602 flaw is a highly critical remote code execution issue, also known as Drupalgeddon3, that was addressed by the Drupal team in April with the release of versions 7.59, 8.4.8 and 8.5.3. The security patch for the […]

Drupal

Crooks are attempting to exploit a recently patched Drupal vulnerability, tracked as CVE-2018-7602, to drop Monero mining malware onto vulnerable systems.

The CVE-2018-7602 flaw is a highly critical remote code execution issue, also known as Drupalgeddon3, that was addressed by the Drupal team in
April with the release of versions 7.59, 8.4.8 and 8.5.3.

The security patch for the flaw only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been installed on the install.

In May, security experts at Malwarebytes reported that crooks were exploiting both Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Now experts from Trend Micro reported network attacks exploiting CVE-2018-7602 flaw for Monero-mining. Crooks used an exploit to fetch a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malicious code adds a crontab entry to automatically update itself and to download and execute a modified variant of the open-source XMRig (version 2.6.3) Monero miner.

“We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.” reads the analysis published by TrendMicro.

“While these attacks currently deliver resource-stealing and system performance-slowing malware, the vulnerability can be used as a doorway to other threats.”

The attackers used to hide their activity behind the Tor network, experts tracked it to 197[.]231[.]221[.]211, an address that belongs to a range of IPs associated with a virtual private network (VPN) provider.

The downloader checks the target machine to determine if it could be compromised using the Drupal exploits.

Once executed, the miner will change its process name to [^$I$^] and access the file /tmp/dvir.pid.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” continues the report.

CVE-2018-7602

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider.

Trend Micro confirmed that its experts have blocked 810 attacks coming from this IP address, at the time there is no evidence that all the attacks were related to the Monero-mining payload.

“The bulk of attacks from this IP address exploit Heartbleed (CVE-2014-0160). The other attacks we observed exploited ShellShock (CVE-2014-6271), an information disclosure vulnerability in WEB GoAhead (CVE-2017-5674), and a memory leak flaw in Apache (CVE-2004-0113).” states Trend Micro.

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address.” 

Drupal admins urge to install the available patches as soon as possible to avoid being hacked.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-7602, Drupalgeddon3)

[adrotate banner=”5″]

[adrotate banner=”13″]