Tag Archives: CVE-2018-7600

Kitty Cryptocurrency Miner

An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )

CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.

Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.

The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js,” a blog post explains. They then scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file.

It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-

Hosts To Block

31.187.64.216

www.allfontshere.press

Affected Platforms

Drupal Core – Versions 8.5.0 / 8.4.5 / 8.3.8 / 7.57 and earlier




Muhstik Botnet

Muhstik is a botnet that uses compromised websites to launch distributed denial-of-service (DDoS) attacks and install cryptocurrency mining malware.

The threat actors are currently targeting and exploiting websites running vulnerable versions of the Drupal content management system. Over one million websites are potentially affected if left unpatched.

The Muhstik botnet exploits Drupal vulnerability (CVE-2018-7600), impacting versions 6,7, and 8 of Drupal’s CMS platform. “This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” warned MITRE’s Common Vulnerabilities and Exposures bulletin on March 28.

When a server has been compromised, Muhstik downloads a scanning module and attempts to find other vulnerable hosts. It uploads any potential targets to Command and Control servers, which use Internet Relay Chat to issue commands.

Compromised servers are used to launch DDoS attacks and to mine the Bitcoin and Monero cryptocurrencies.



Muhstik is a variant of the Tsunami botnet. Its features include:

  • Worm Propagation
  • Persistence
  • Xmrig to mine XMR cryptocurrency coins with a self-built mining pool
  • Cgminer to mine BTC cryptocurrency coins, using multiple mining pools, all with username reb0rn.D3
  • DDoS capability to attack networks at the owner’s command
  • Vulnerability scanner that utilizes 7 exploits to spread muhstick to other vulnerable servers
  • SSH Brute force scanning for gaining access to servers with weak passwords
  • IRC based Command and Control with 11 hard-coded URLs for communication

Hosts To Block

46.243.189.102
47.135.208.145:4871
dash.viabtc.com ( Muhstik cgminer wallet and mining pool address )
139.99.101.96 AS16276 OVH SAS
144.217.84.99 AS16276 OVH SAS
145.239.84.0 AS16276 OVH SAS
147.135.210.184 AS16276 OVH SAS
142.44.163.168 AS16276 OVH SAS
192.99.71.250 AS16276 OVH SAS
142.44.240.14 AS16276 OVH SAS
121.128.171.44 AS4766 Korea Telecom #Not active now
66.70.190.236 AS16276 OVH SAS #Not active now
145.239.93.125 AS16276 OVH SAS
irc.de-zahlung.eu:9090 #Not active now
http://51.254.221.129/c/cron
http://51.254.221.129/c/tfti
http://51.254.221.129/c/pftp
http://51.254.221.129/c/ntpd
http://51.254.221.129/c/sshd
http://51.254.221.129/c/bash
http://51.254.221.129/c/pty
http://51.254.221.129/c/shy
http://51.254.221.129/c/nsshtfti
http://51.254.221.129/c/nsshcron
http://51.254.221.129/c/nsshpftp
http://51.254.221.129/c/fbsd
http://191.238.234.227/x/aiox86
47.135.208.145
dasan.deutschland-zahlung.eu
134.ip-51-254-219.eu
uranus.kei.su
wireless.kei.su
www.kei.suy.fd6fq54s6df541q23sdxfg.eu

Affected Platforms

  • Drupal – All versions prior to 8.5.1/8.4.6/8.3.9/7.58
  • ClipBucket, DasanNetwork Solution, Oracle WebLogic Server, WebDAV, Webuzo, WordPress





Drupalgeddon 3 – Remote Code Execution Vulnerability in Drupal

On 25 April 2018 Drupal, the web content management system providers, released a security patch. Within hours of releasing this patch Drupal detected successful exploitation attempts.

The vulnerability exists in a URL parameter, “destination”, which is not sanitized. Attackers can leverage this to execute arbitrary commands on the web server.

There are multiple exploitation examples published on the internet since Drupal released the patch. Attackers can also determine if the web site is vulnerable using Google.

Drupalgeddon checks for backdoors and other traces of known Drupal exploits of “Drupageddon” aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it’s a Drush command.

This is a signature-based diagnostic tool, and can not guarantee a website has not been compromised.

The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28 ) as SA-CORE-2018-002. The advisory was released with a patch and CVE (CVE-2018-7600) at the same time.

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.

Affected Platforms

Drupal – All versions

  • If you are using Drupal version 7.x upgrade to version 7.59
  • If you are using Drupal version 8.5.x upgrade to version 8.5.3
  • If you are using Drupal version 8.4.x upgrade to version 8.4.8.
  • Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3.





Drupal Remote Code Execution Vulnerability [CVE-2018-7600]

A vulnerability in multiple subsystems of Drupal could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to an unspecified condition that exists in multiple subsystems of the affected software. An attacker could exploit this vulnerability by sending crafted input to the affected application on a targeted system. An exploit could allow the attacker to execute arbitrary code, which could result in a complete compromise of the affected Drupal site.

Drupal.org has confirmed the vulnerability and released software updates.

Analysis
  • An attacker could achieve a successful exploit from multiple attack vectors on a targeted system. Systems running an affected version of Drupal with default and common module configurations are exploitable.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • Drupal.org has released a security advisory at the following link: sa-core-2018-002
Fixed Software
  • Drupal.org has released software updates at the following links: