Hackers targeted Drupal web servers chaining some known vulnerabilities, including Drupalgeddon2 and DirtyCOW issues.
Security experts at Imperva reported an attack against Drupal Web servers running on Linux-based systems. Hackers exploited the Drupalgeddon2 flaw (CVE-2018-7600) along with other issues. The Drupalgeddon2 could be exploited to take over a website, it affects Drupal versions 6, 7 and 8.
The other flaw exploited in the attacks is the DirtyCOW issue, it is a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. The flaw could be exploited by a local attacker to escalate privileges.
In the attack observed by Imperva, hackers attempted to hack into the Drupal servers chaining both Drupalgeddon2 and DirtyCOW, they also attempted to gain access to the target machines via system misconfigurations.
“In this post we’ll unpack a short — but no less serious — attack that affected some Linux-based systems, on October 31. Throughout the campaign, the attacker used a chain of vulnerabilities including the infamous Drupalgeddon2 and DirtyCOW, and system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines.” reads the analysis published by Imperva.
The new attack stands out because hackers would gain persistence on the target, they opted for a technique to easily re-infect a vulnerable server in case the process is terminated or after a server restart, or run an additional malicious code.
The attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”.
This attack could be effective in case administrators leave ‘root’ as the default user to connect from the web application to the database. The attackers can attempt to use the command ‘su root’ to change the user to root.
If the administrator did not leave the root passwords in the configuration files, the hackers attempt to exploit the DirtyCOW flaw to escalate privileges to root.
“If the attacker succeeds in changing the user, they can proceed to download the secondary payload ‘sshdstuff’ and execute.
“If the administrator was careful and didn’t leave root passwords in the configuration files, this technique fails, and the attacker tries to exploit the DirtyCOW bug to escalate their privileges to root.”
The attackers attempted to use three different implementations of DirtyCOW exploit, one of which is raw format (C source code file) and was being compiled at runtime.
One of the above implementations has zero detection rate in VirusTotal, Imperva points out, even if the DirtyCOW is a two-year old flaw.
Once the attackers gain root access and the permission to install new services, they would install SSH, configure it and add their key to the list of authorized keys by the service.
“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes.
“Administrators should make sure that their web application is fully patched as well as the operating system of the host. Alternately, it is possible to use external cybersecurity solution, like a WAF, to block the attack before it reaches the server. Imperva customers are protected out of the box.”