IoT Botnet begins Drupalgeddon 2 Campaign

A sizable botnet made up of servers and numerous smart devices have begun the mass exploitation of a severe Drupal CMS vulnerability. Drupal is an open source Content Management System (CMS) often used in the creation and modification of digital content. Drupal is often used in the creation and management of web pages and is a popular tool used by web developers. What makes this new botnet campaign interesting, although becoming increasingly less novel, is the way it searches for and infects new machines. Such behavior is generally a characteristic of worms rather than traditional botnet campaigns.

The botnet is currently exploiting CVE-2018-7600, often referred to as Drupalgeddon 2 by the Drupal community after the Drupalgeddon security bug, CVE-2014-3704 disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward. CVE-2018-7600 if exploited correctly allows an attacker to run any code he desires against the CMS' core component, effectively taking over the site. What made the above-mentioned vulnerability deserving of more attention was that to exploit it the attacker does not need to be registered or authenticated on the targeted site, and all the attacker must do is simply access a URL.

The Drupal security team patched Drupalgeddon 2 on March 28 with the release of Drupal 7.58 and Drupal 8.5.1. The quick turnaround in patching the vulnerability can be partly attributed to the vulnerability been determined to be of a highly critical nature scoring 24 out of 25 on the scale for determining the seriousness of the vulnerability. Drupal site owners should update to these versions (or newer) to avoid having their sites and servers taken over by cyber-criminals.

Muhstik Botnet

Researchers at the Chinese security firm Qihoo 360 Netlab with experts at GreyNoise Intelligence have spotted the shift in this botnet's activity from various other exploits to the Drupalgeddon 2 vulnerability at the start of the week. The Netlab team has started referring to this botnet as Muhstik, based on the term used in many of its payloads. In the Netlab report published April 20, it was determined that the Muhstik botnet is built on top of Tsunami. Active since 2002, Tsunami has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.

botnet begins drupalgeddon 2 campaign

Tsunami was primarily used to carry out Distributed Denial of Service (DDoS) attacks. Since the source code was leaked online the amount of features Tsunami boosts has greatly increased. In 2011 security researchers at Eset discovered that malware authors had modified the code to target systems and devices running Mac OS X. The Mac variant resembled its older Linux brother with one of the major differences being that it is a 64-bit Mach-O binary instead of an ELF binary.

The Muhstik version of Tsunami carries on with the trend of continually adding to its feature set. Researchers at Netlab discovered this variant has several different payloads. Not only can it launch a DDoS attack but it can also install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts in an attempt to make more money from infected hosts.

Muhstik boasts one More Surprise

Besides the payloads detailed above Muhstik has one more surprise for its victims. Immediately after infecting a Drupal website the malware also downloads a scanning module. This module contacts a totally different set of command and control servers than the regular Muhstik ones then generates a list of IP addresses, and starts scanning for vulnerable systems. Muhstik scans these IPs on predefined ports, attempting to identify new systems, whether they be servers or smart devices, to infect. The predefined ports include the following:

  • 80: Weblogic, Wordpress, Drupal, WebDav, ClipBucket
  • 2004: Webuzo
  • 7001: Weblogic
  • 8080: Wordpress, WebDav, DasanNetwork Solution

Once a new victim has been found via the scanning module the infected host tells one of the main Muhstik C&C servers about potentially new hosts to infect, by sending a request to a specific URL. This technique of propagating across networks and devices is becoming increasingly popular in modern botnet campaigns. Muhstik may be the first campaign to exploit the Drupalgeddon 2 vulnerability. The authors behind Muhstik also look to be diversifying their attack vectors. GreyNoise also reports that they have seen an increase in targeting Oracle WebLogic systems as wel.

Botnets and Worms

With the advent of the Internet of Things (IoT) botnets have become a major security threat. Botnets can attribute much of their popularity to their ability to infiltrate almost any internet-connected device, from DVR players to corporate networks. In order for a botnet to be successful, it cannot just infect one device botnet network need to consist of hundreds of thousands of infected servers and devices. Some botnets have clocked out into the millions of infected devices. Once infected they can be used to mine cryptocurrency or DDoS attacks like experts have determined Muhstik capable of. In order to infect millions of devices it needs an effective delivery system and often the malware author will employ a few methods. Delivery via email and compromised downloads are still widely used as they are still effective but they do require user interaction. By using a worm the malware can be distributed to vulnerable devices without any user interaction. It is becoming popular to include a worm in a botnets features and Muhstik is no different.

There are a number of defenses against the attacks that botnets are used for, but nearly all of them are on the Internet Service Provider (ISP) or server level. For users, the defense against becoming part of a botnet is to keep all of the software on their machines patched and up-to-date and to resist clicking on suspicious links. Attackers rely on the gullibility of users to open malicious attachments or click on shady links in order to get their malware onto new PCs. While keeping software patched and up to date will prevent attackers from exploiting a vulnerability. Removing that from the equation makes it far more difficult for attackers to build and use botnets.