A botnet made up of servers and smart devices has begun the mass exploitation of a severe Drupal CMS vulnerability and is using already compromised systems to infect new machines, in a worm-like behavior.
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.
Muhstik botnet starts attacking Drupal sites
Qihoo 360 Netlab researchers, along with experts from GreyNoise Intelligence, have spotted the shift in this botnet’s activity from various other exploits to the Drupalgeddon 2 vulnerability at the start of the week. The Netlab team has started referring to this botnet as Muhstik, based on the term used in many of its payloads.
At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.
Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.
The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.
Infected Drupal sites used to scan for other vulnerable servers
But besides these three payloads, experts say that immediately after infecting a Drupal site, the malware also downloads a scanning module.
This module contacts a totally different set of command and control servers than the regular Muhstik ones, gets a list of IP addresses, and starts scanning for vulnerable systems.
Muhstik scans these IPs on predefined ports, attempting to identify new systems, may them be servers or smart devices, to infect:
80: Weblogic, WordPress, Drupal, WebDav, ClipBucket
8080: WordPress, WebDav, DasanNetwork Solution
Once new victims have been identified, the infected host tells one of the main Muhstik C&C servers about potentially new hosts to infect, by sending a request to a specific URL.
This type of design is very common with most IoT botnets these days, but Muhstik appears to be the first one who added the Drupalgeddon 2 vulnerability to its arsenal.
Besides the mass-exploitation of the Drupalgeddon 2 flaw, GreyNoise also reports that this botnet has increased its activity of targeting Oracle WebLogic systems as well.
GreyNoise has detected a sharp increase in opportunistic exploitation of Oracle WebLogic Server, specifically CVE-2017-10271.
~1,200 devices have suddenly started broadly exploiting this vulnerability by issuing exploit requests to the “/wls-wsat/CoordinatorPortType” URL.
— GreyNoise Intelligence (@GreyNoiseIO) April 18, 2018
With such a major player like Muhstik now exploiting the Drupalgeddon vulnerability, it’s only a matter of time until other botnets get on board. Cybercrime is more of an imitation game than anything else.
The Drupal security team patched Drupalgeddon2 on March 28 with the release of Drupal 7.58 and Drupal 8.5.1. Drupal site owners should update to these versions (or newer) to avoid having their sites and servers taken over by cyber-criminals.