Drupalgeddon2 is The Next Target of Hackers

Windows Articles

How to install SQLite on OpenSUSE 15.2 / 15.1?

There are many good database management systems, but they are not all the same. And the fact that they are not, means...

How to detect port scanning and private IP access with Behave

Hello! Security when surfing the internet is a very serious issue. Consequently, the precautions we take are very important. Moreover, web browsers...

How to install LAMP on OpenSUSE 15.2 / 15.1?

It is increasingly common to find small companies that decide to use the SUSE ecosystem for their servers. It's an unsurprising decision because OpenSUSE...

How to use Mytop on Linux?

We already know that both MySQL and MariaDB are among the most popular database managers out there. They have earned this with...

How to activate the automatic screen saver in Windows 10

Hello! Undoubtedly the time we spend in front of a computer has grown lately. In fact, in these times of pandemic, more...
Mel Khamlichi
Mel Khamlichihttp://www.osradar.com
Founder of Osradar, from Amsterdam Netherlands

Drupal is one of the best CMS for web admins. It’s free, open-source and powerful to perform lots of critical tasks. There are tons of websites that use Drupal as their CMS. Recently, Drupal released patches for a vulnerability in its system known as Drupalgeddon2. It’ll take some time before all the websites are updated to the latest version. Some might even won’t care about upgrading their software. Hackers are taking this opportunity to exploit and use the unpatched systems for themselves.

Very recently, a botnet has started severe exploitation of the Drupalgeddon2 on a large scale. The botnet consists of servers and smart devices. It also acts more like a worm. For your reminder, Drupalgeddon2 is a vulnerability that can allow running codes on the website from the URL. Learn more about Drupalgeddon2.

Botnet attacking Drupal sites

Security researchers from Qihoo 360 Netlab and GreyNoise Intelligence have been keeping a sharp look on the botnet. They spotted the shift of the botnet’s target from other vulnerabilities to Drupalgeddon2. The shift took place at the starting of this week. Netlab team named the botnet as Mushtik as the botnet uses the name in many of its payloads.

Mushtik is developed on top of a really old malware strain Tsunami that’s being used for years for creating botnets to infect Linux servers and other Linux-based systems. The hacker(s) initially used Tsunami for DDoS attacks, but thanks to its feature set, they’ve shifted towards exploiting known vulnerabilities.

According to the security researchers, the Tsunami in Mushtik can install XMRig Monero miner, CGMiner or launch a DDoS attack from the infected hosts. Using these 3 payloads, the crooks are making money for themselves (illegally).

Infected hosts act as a worm

Researchers also added that besides using those 3 payloads, the infected sites also start searching for other sites to find more targets to exploit. That’s performed by a scanning module downloaded by the malware.

The module contacts with a list of different control and command servers to get a list of IP addresses for scanning. It scans the IP addresses on pre-defined ports to identify the systems. After identifying the next potential target, it contacts with the main Mushtik C&C servers about the next target.

This type of behavior is quite common as IoT botnets at the present days. However, Mushtik is the first known one that’s using Drupalgeddon2 in its arsenal. According to GreyNoise, this malware is also actively targeting Oracle WebLogic systems.

How to stay secured

For staying secured, web admins are strongly recommended to upgrade the software of their websites as soon as possible. Drupal released urgent patches for both of their product lines – v7.58 and v8.5.1. Once infected, you may at a severe loss. So, patch your system while there’s still time.

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How to install SQLite on OpenSUSE 15.2 / 15.1?

There are many good database management systems, but they are not all the same. And the fact that they are not, means...

How to detect port scanning and private IP access with Behave

Hello! Security when surfing the internet is a very serious issue. Consequently, the precautions we take are very important. Moreover, web browsers...

How to install LAMP on OpenSUSE 15.2 / 15.1?

It is increasingly common to find small companies that decide to use the SUSE ecosystem for their servers. It's an unsurprising decision because OpenSUSE...

How to use Mytop on Linux?

We already know that both MySQL and MariaDB are among the most popular database managers out there. They have earned this with...

How to activate the automatic screen saver in Windows 10

Hello! Undoubtedly the time we spend in front of a computer has grown lately. In fact, in these times of pandemic, more...