{"id":12337,"date":"2018-05-18T08:10:05","date_gmt":"2018-05-18T16:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/05\/18\/news-6106\/"},"modified":"2018-05-18T08:10:05","modified_gmt":"2018-05-18T16:10:05","slug":"news-6106","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/18\/news-6106\/","title":{"rendered":"A look into Drupalgeddon’s client-side attacks"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Fri, 18 May 2018 15:00:00 +0000<\/strong><\/p>\n

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600<\/a>) followed by yet another (CVE-2018-7602<\/a>) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.<\/p>\n

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.<\/p>\n

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.<\/p>\n

Sample set and web crawl<\/h3>\n

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan<\/a> and was complemented by PublicWWW<\/a>, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.<\/p>\n

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.<\/p>\n

\"\"<\/a><\/p>\n

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler<\/em><\/p>\n

Drupal versions<\/h3>\n

At the time of this writing, there are two recommended releases<\/a> for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.<\/p>\n

\"\"<\/a><\/p>\n

Figure 2: Drupal’s two main supported branches<\/em><\/p>\n

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015<\/a>. Many security flaws have been discovered (and exploited) since then.<\/p>\n

\"\"<\/a><\/p>\n

Figure 3: Percentage of compromised sites belonging to a particular Drupal version<\/em><\/p>\n

Payloads<\/h3>\n

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners<\/a>. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.<\/p>\n

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.<\/p>\n

\"\"<\/a><\/p>\n

Figure 4: Breakdown of the most common payloads<\/em><\/p>\n

Web miners<\/h4>\n

Drive-by mining attacks<\/a> went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.<\/p>\n

We are seeing the same campaign that was already documented<\/a> by other researchers in early March and is ensnaring more victims by the day.<\/p>\n

\"\"<\/a><\/p>\n

Figure 5: A subdomain of Harvard University’s main site mining Monero<\/em><\/p>\n

Fake updates<\/h4>\n

This campaign of fake browser updates we documented earlier<\/a> is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).<\/p>\n

\"\"<\/a><\/p>\n

Figure 6:\u00a0 A compromised Drupal site pushing a fake Chrome update<\/em><\/p>\n

Tech support scams (browlocks)<\/h4>\n

Redirections to browser locker pages\u2014a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.<\/p>\n

mysimplename[.]com\/si.php  window.location.replace(\"http:\/\/hispaintinghad[.]tk\/index\/?1641501770611\");  window.location.href = \"http:\/\/hispaintinghad[.]tk\/index\/?1641501770611\";<\/pre>\n
\"\"<\/a><\/p>\n
Figure 7: A compromised Drupal host redirecting to a browser locker page<\/em><\/p>\n
\n
Web miners and injected code<\/h3>\n
We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It\u2019s worth noting that in many cases the code is dynamic\u2014most likely a technique to evade detection.<\/p>\n
\"\"<\/a><\/p>\n
Figure 8: Collage of some of the most common miner injections<\/em><\/p>\n
Snapshots<\/h3>\n
The following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.<\/p>\n
\"\"<\/a><\/p>\n
Figure 9: Education (University of Southern California)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 10: Government (Arkansas Courts & Community Initiative)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 11: Political party (Green Party of California)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 12: Ad server (Indian TV Revive Ad server)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 13: Religion (New Holly Light)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 14: Health (NetApp Benefits)<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 15: Conferences (Red Hat partner conference)\u00a0<\/em><\/p>\n
\"\"<\/a><\/p>\n
Figure 16: Tech (ComputerWorld’s Brazilian portal)<\/em><\/p>\n
Malicious cryptomining remains hot<\/h3>\n
It is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.<\/p>\n
Compromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.<\/p>\n
Malwarebytes<\/a> continues to detect and block malicious cryptomining and other unwanted redirections.<\/p>\n
Indicators of compromise<\/h3>\n
Coinhive<\/strong><\/p>\n
-> URIs<\/p>\n
cnhv[.]co\/1nt9z  coinhive[.]com\/lib\/coinhive.min.js  coinhive[.]com\/lib\/cryptonight.wasm  coinhive[.]com\/lib\/worker-asmjs.min.js?v7  ws[0-9]{3}.coinhive[.]com\/proxy<\/pre>\n
-> Site keys<\/p>\n
CmGKP05v2VJbvj33wzTIayOv6YGLkUYN  f0y6O5ddrXo1be4NGZubP1yHDaWqyflD  kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf  MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj  NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I  no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK  oHaQn8uDJ16fNhcTU7y832cv49PqEvOS  PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf  RYeWLxbPVlfPNsZUh231aLXoYAdPguXY  XoWXAWvizTNnyia78qTIFfATRgcbJfGx  YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3<\/pre>\n
Crypto-Loot<\/strong><\/p>\n
-> URI<\/p>\n
cryptaloot[.]pro\/lib\/justdoit2.js<\/pre>\n
-> Keys<\/p>\n
48427c995ba46a78b237c5f53e5fef90cd09b5f09e92  6508a11b897365897580ba68f93a5583cc3a15637212  d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702<\/pre>\n
EthPocket<\/strong><\/p>\n
eth-pocket[.]com:8585  eth-pocket[.]de\/perfekt\/perfekt.js<\/pre>\n
JSECoin<\/strong><\/p>\n
jsecoin[.]com\/platform\/banner1.html?aff1564&utm_content=<\/pre>\n
DeepMiner<\/strong><\/p>\n
greenindex.dynamic-dns[.]net\/jqueryeasyui.js<\/pre>\n
Other CryptoNight-based miner<\/strong><\/p>\n
cloudflane[.]com\/lib\/cryptonight.wasm<\/pre>\n
FakeUpdates<\/strong><\/p>\n
track.positiverefreshment[.]org\/s_code.js?cid=220&v=24eca7c911f5e102e2ba  click.clickanalytics208[.]com\/s_code.js?cid=240&v=73a55f6de3dee2a751c3  185.244.149[.]74  5.9.242[.]74<\/pre>\n
Tech scams<\/strong><\/p>\n
192.34.61[.]245  192.81.216[.]165  193.201.224[.]233  198.211.107[.]153  198.211.113[.]147  206.189.236[.]91  208.68.37[.]2  addressedina[.]tk  andtakinghis[.]tk  andweepover[.]tk  asheleaned[.]tk  baserwq[.]tk  blackivory[.]tk  blownagainst[.]tk  cutoplaswe[.]tk  dearfytr[.]tk  doanythingthat[.]tk  faithlessflorizel[.]tk  grey-plumaged[.]tk  haddoneso[.]tk  handkerchiefout[.]tk  himinspectral[.]tk  hispaintinghad[.]tk  ifheisdead[.]tk  itshandupon[.]tk  iwouldsay[.]tk  leadedpanes[.]tk  millpond[.]tk  mineofcourse[.]tk  momentin[.]tk  murdercould[.]tk  mysimplename[.]com  nearlythrew[.]tk  nothinglikeit[.]tk  oncecommitted[.]tk  portraithedid[.]tk  posingfor[.]tk  secretsoflife[.]tk  sendthemany[.]tk  sputteredbeside[.]tk  steppedforward[.]tk  sweeppast[.]tk  tellingmeyears[.]tk  terriblehope[.]tk  thatwonderful[.]tk  theattractions[.]tk  thereisnodisgrace[.]tk  togetawayt[.]tk  toseethem[.]tk  wickedwere[.]tk  withaforebodingu[.]tk<\/pre>\n
The post A look into Drupalgeddon’s client-side attacks<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Fri, 18 May 2018 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Back-to-back Drupal zero-day vulnerabilities are being monetized with malicious web cryptominers.<\/p>\n
Categories: <\/p>\n