Hackers using Drupalgeddon 2 and Dirty Cow in new attacks

• Through these attacks, hackers aim to gain control of servers and elevate their access to a root account.
• The hackers can even install a legitimate SSH key to gain persistence on infected servers.

A new type of attack against Drupal site owners has been observed in the past few days. Hackers are relying on two well-known exploits - Drupalgeddon 2 vulnerability and the Dirty Cow exploit - to perform the nefarious attacks.

Imperva researchers told ZDNet that through these attacks, hackers aim to gain control of servers and elevate their access to a root account. By exploiting the websites, hackers can even install a legitimate SSH key to gain persistence on infected servers. This allows them to stay logged in on the server for several days.

How it works

The attack involves scanning for websites that are running an outdated version of the Drupal website manager (CMS). Once the vulnerable sites are identified, hackers deploy a Drupalgeddon 2 exploit to gain a limited foothold on a targeted server. This helps them to look into the Drupal site’s local configuration files, which contain database credentials.

The exploit works only if the database connection setting includes an account with the name ‘root’. In case of failure, hackers deploy Dirty Cow which lets hackers obtain root access to a user’s account.

Although the end goal of attackers is not fully determined, Nadav Avital, Threat Analytics Manager at Imperva, told ZDNet that the company’s web firewall has detected dozens of sites affected from infection.

"Since all of the attacks were detected and blocked by Imperva we cannot fully determine the attackers end goal. Having said that, in one of our latest reports we found that almost 90% of such attacks are attempting to install a crypto-mining malware," Avital told ZDNet.

Avital noted that since the attack takes place only on websites running an outdated version of the Drupal website manager, it is very important for website and server owners to update Drupal and their Linux servers in order to stay safe from such attacks.

"Considering, the lethargic pace of patching, the severity of the vulnerability and the fact that many of the hacking tools incorporated this attack, results in huge amount of attacks. Even today Drupalgeddon is one of the most popular attack vectors hackers are trying to use," Avital told ZDNet.