Incident Of The Week: Drupal Vuln. Being Exploited By ‘Muhstik’ Botnet

Dan Gunderman

Photo: Gil C/

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine an exploited vulnerability on Drupal content management systems (CMS), which has impacted 1 million sites or about 9% of sites running a known CMS (this according to Builtwith). Netlab 360 researchers discovered a botnet exploiting the vulnerability, which they’ve dubbed “Muhstik,” because it’s a keyword that has frequently appeared in file names and other communication.

Drupal released a patch for the vulnerability in March, but its effects have been pervasive. According to Drupal’s “FAQ about SA-CORE-2018-002," the NIST Common Misuse Score for the vulnerability is 24/25, or “highly critical.” The open source content-management framework provider said that data is at risk, as is exfiltration with nothing in the way of a paper trail.

On March 28, Drupal wrote: “A successful exploit of the vulnerability can have a dramatic impact on the site.” It continued: “Sites not patched by Wednesday, April 11, 2018, may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.”

See Related: Incident Of The Week: Hackers Take Out Caribbean Govt., Access Railway Data

The host suggested that updates may not remove backdoors or fix compromised sites, and that builders should update and investigate. The vulnerability was reportedly discovered in “general research into the security of Drupal.”

In an update to SA-CORE-2018-002 on April 13, Drupal wrote that if sites were not updated, “you should assume (it) has been targeted and follow directions for remediation…”

The security team said it was aware of “automated attacks (which) attempted to compromise Drupal 7 and 8 websites using the vulnerability…”

The update suggested that attackers may have inserted access points in the database, code, files directory and other locations.

The incident is ongoing, as Drupal released new information on April 23, saying that an update would take place that was “outside of the regular schedule of security releases.” It said that there is “some risk that exploits might be developed within hours or days.”

Incident of the Week Drupal Vulnerability

Cue the Muhstik botnet which attackers are leveraging to install cryptocurrency miners and launch DDoS attacks. According to Netlab 360, at least three groups of malware campaigns are exploiting the Drupal vuln.

“We noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for a quit [sic] a time,” Netlab 360 researchers wrote in their report. “We name it muhstik, for this key word keeps popup [sic] in its binary name and the communication IRC channel.”

See Related: Incident Of The Week: Hackers Target U.S. Gas Pipelines

Netlab says that the vulnerability is worth noting and/or addressing, for it has worm propagation properties, is long-standing, uses seven exploits and uses xmrig, cgminer and DDoS for profit.

Commenting on this hard-hitting Drupal vulnerability, ESG Global Research Senior Analyst and Group Director, Doug Cahill, told the Cyber Security Hub: “Vulnerability mitigation needs to start in development and continue into production. Developers should be performing static code analysis, ideally with solutions that integrate their SDLC tool set.”

He continued: “In test environments we should be wringing out known vulns and hardening configs. And then in production to deal with such situations, virtual patching that looks for exploit behavior to detect and prevent anomalous net-flow activity should be employed.”

Nevertheless, Drupal’s security updates appear to be working against the clock to shore up its systems before more data or sites, en masse, are compromised.

Be Sure To Check Out: Incident Of The Week: Ransomware Cripples Atlanta City Government