New security flaw patched by Drupal last week exploited by cybercriminals

• The remote code execution vulnerability identified as CVE-2019-6340 was actually addressed by Drupal with updates.
• Research from a security firm indicated multiple hacking attempts made by crytominers and other attackers.

Within days of Drupal patching a remote code execution (RCE) vulnerability in its platform, attackers have carried out many cryptomining attacks on Drupal-based sites, likely using PoC exploits released by some researchers.

The big picture - In exclusive research by Imperva, the security firm has identified more than 100 exploit attempts on Drupal sites. The vulnerability, CVE-2019-6340, allowed arbitrary code execution in the REST module in specific versions of the open-source content management platform.

After Drupal released a patch for the vulnerability, proof-of-concept (PoC) exploit codes were developed by other security firms which were still able to exploit the vulnerability. Usually, PoCs are meant to highlight the flaws and in some cases, provide temporary measures to block the attacks. In this case, attackers took advantage of this opportunity to target vulnerable Drupal sites, likely using the information gained from the PoCs.

The Proof-of-Concept Exploits

• The first PoC detailed an attack aimed at Drupal 8, which exploited the RCE vulnerability in a different way. “The RCE is triggerable through a GET request, and without any kind of authentication, even if POST/PATCH requests are disabled in the REST configuration,” the researchers wrote, explaining their approach.
• The other PoC was created by a developer at Tencent which was also similar to the one mentioned above with minor variations in the code.

The bottom line - This vulnerability mainly affects Drupal 8, which forms a small fraction of the total number of Drupal-based sites.

Troy Mursch, co-founder of Bad Packets LLC, told ZDNet, "There are roughly 63,000 Drupal 8 sites around. Furthermore, only Drupal 8 sites where a certain combination of modules is enabled, are vulnerable, meaning that very few of these are actually vulnerable."

Drupal is expected to release another update in the coming days to fix this vulnerability.