Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers

** This post was co-written with IBM X-Force researcher Noah Adjonyo**

IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.

This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats? 

What Is Drupal, and Why Is It a Target?

Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks. 

ShellBot Attacks Open Backdoors With Drupalgeddon 2.0

Want to read the next section? Check out the original blog post here.