Hacking

Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks

Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates that were issued a few days later.

The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.

The experts scanning the Internet for websites running Drupal 7.x CMS version found over 500,000 sites, 115,070 of them running outdated versions of the popular CMS that were vulnerable to the Drupalgeddon 2 flaw. The scan didn’t search for 6.x and 8.x sites.

“How many Drupal sites are vulnerable?To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7.” states a report published by Mursch.

“Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.”

The researcher found numerous vulnerable sites in the Alexa Top 1 Million, the list includes major US educational institutions, government organizations around the world, a large television network, a multinational mass media and entertainment conglomerate, and two major computer hardware manufacturers.

The expert shared the list of vulnerable websites with US-CERT and other CERT teams worldwide.

Mursch confirmed that cryptojacking campaigns are continuing even after his first report,

“While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.” added the expert.

The expert published a Google Docs spreadsheet to track the original cryptocurrency mining campaign, the document includes now data on several different campaigns he discovered.

The expert published IoCs for the campaign, the presence online of 115,000 of Drupal 7.x web sites is very danger, a gift for crooks that can abuse them for a broad range of illegal activities.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Drupal, Drupalgeddon2)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

7 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

13 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.