Hackers are taking advantage of vulnerabilities in the Drupal CMS platform by using malicious code disguised as gifs.
WordPress has more than 74 million websites. Neill Feather, president of the cybersecurity firm SiteLock, explains the benefits of open source software and how to prevent common attacks.
Anyone using the Drupal CMS platform should ensure they have patched their system because cybersecurity analysts have seen an increase in targeted attacks a vulnerability that was corrected more than a year ago.
Akamai principal investigator Larry Cashdollar discovered the attack campaign while examining the cloud company's network attack records. Cashdollar said that cybercriminals sought to attack high-profile websites by leveraging Drupalgeddon2, a remote code execution vulnerability not authenticated on the Drupal CMS platform that was patched in March 2018.
"The fact that these guys are still looking for vulnerabilities that are more than a year old and trying to exploit the systems to install their malicious php malware means that there must be many vulnerable systems that people have not patched, "Cashdollar said in an interview with TechRepublic.
"They are looking for websites that have been neglected," Cashdollar continued. "It really is a wake-up call for people who have not patched their systems. If you have a Drupal installation, you should have patched it to the latest version. If you have any software such as WordPress, Drupal and Joomla, you should always keep those patches and updated, especially when the version you are running is vulnerable to a significant code execution vulnerability that has been circulating since March 2018. "
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Cashdollar said the situation was something interesting because the people behind the attack were using GIF to hide your attack
"I observed an attack designed to execute code that is embedded within a .gif file. Although embedding code in an image file is not a new attack method, I haven't seen this method in a while," he said.
"Attack traffic does not appear to be very widespread at this time, nor does it appear to be directed specifically at a single vertical of the industry. Currently, attack traffic seems to be directed at a random variety of high profile websites. These guys will likely look for high profile, unauthenticated remote code execution vulnerabilities like this one and will likely rework their campaigns to target the newest ones that could be newer and will simply modify their code to use that vulnerability to have a vector for infection. "
Drupal was very proactive about launching a patch for Drupalgeddon2, sending frequent questions and other assistance to ensure that the security flaw was resolved correctly.
According to Cashdollar, he only saw an increase in this type of attack in the last month. By using .gifs, the people behind the attack tried to evade detection and infect machines.
He added that this was just another reminder for companies to patch everything to keep up with all the latest security features.
"Critical vulnerabilities will be attacked, even if their public disclosure date is more than one year. When the exploitation of the vulnerability is simple, such as Drupalgeddon2, the attackers will automate the scanning, exploitation and infection process when there are poorly maintained and forgotten systems. This creates a problem for business operations and web administrators, since these old forgotten facilities are often connected to other critical systems, creating a pivot point in the network, "Cashdollar wrote in a blog post
"Maintaining patches in a timely manner," Cashdollar said, "as well as properly dismantling servers if they are no longer used is the best preventive measure that administrators and security teams can take."