A newly discovered vulnerability in Drupal has been exploited to turn infected systems into Monero mining bots. Worse, the vulnerability could easily be exploited to do far more than simply steal resources and performance.
Researchers from the Trend Micro Smart Home Network and IoT Reputation Service Teams found the exploits of CVE-2018-7602, a remote code execution vulnerability in Drupal 7 and 8. While the vulnerability was patched on April 25, 2018, many users have yet to move to the current version, leaving an unknown number of Drupal-based websites vulnerable.
The downloader uses the HTTP 1.0 POST method to send traffic, which should be a red flag for security teams since most organizations have moved to HTTP 1.1 or later for their traffic. Once active on a system, the loader installs the a version of the open-source Monero miner XMRig (version 2.6.3) that has had rather simple obfuscation functionality added.
"Patching and updating the Drupal core fixes the vulnerability that this threat exploits," according to Trend Micro.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.