Hackers are taking advantage of vulnerabilities in the Drupal CMS platform by using malicious code disguised as gifs.
Anyone using the Drupal CMS platform should make sure they have patched their system because cybersecurity analysts have seen an uptick in attacks targeting a vulnerability that was fixed more than a year ago.
Lead researcher for Akamai Larry Cashdollar discovered the attack campaign while examining the cloud company’s network attack logs. Cashdollar said cybercriminals were looking to attack high-profile websites by leveraging Drupalgeddon2, an unauthenticated remote code execution vulnerability in the Drupal CMS platform that was patched in March 2018.
“The fact that these guys are still looking for vulnerabilities that are more than a year old and looking to try to exploit systems to get their malicious php malware installed means that there must be plenty of systems out there that are vulnerable, that folks have not patched,” Cashdollar said in an interview with TechRepublic.
“They are looking for websites that have been neglected,” Cashdollar continued. “It really is a wake up call to people who haven’t patched their systems. If you have a Drupal installation, you should have it patched to the latest version. If you have any sort of software like WordPress, Drupal, and Joomla you should always keep those patched and up to date, especially when the version you’re running is vulnerable to a major code execution vulnerability that’s been circulating since March 2018.”
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Cashdollar said the situation was somewhat interesting because the people behind the attack were using GIFs to hide their attack.
“I observed an attack that is designed to run code that is embedded inside a .gif file. While embedding code in an image file isn’t a new attack method, I haven’t seen this method in quite some time,” he said.
“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high-profile websites. These guys are probably going to look for high-profile, unauthenticated remote code execution vulnerabilities like this and probably rework their campaigns to target those newer ones that might be more recent and just modify their code to use that vulnerability to have a vector for the infection.”
According to Cashdollar, he only saw an increase in this kind of attack in the last month. By using .gifs, the people behind the attack tried to evade detection and infect machines.
He added that this was just another reminder for companies to patch everything in order to stay up-to-date on all of the latest security features.
“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network,” Cashdollar wrote in a blog post.
“Maintaining patches in a timely fashion,” said Cashdollar “as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.”