Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense
Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense

Incident Of The Week: Drupal Vuln. Being Exploited By ‘Muhstik’ Botnet

Add bookmark
Dan Gunderman
Dan Gunderman
04/27/2018
Photo: Gil C/Shutterstock.com

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine an exploited vulnerability on Drupal content management systems (CMS), which has impacted 1 million sites or about 9% of sites running a known CMS (this according to Builtwith). Netlab 360 researchers discovered a botnet exploiting the vulnerability, which they’ve dubbed “Muhstik,” because it’s a keyword that has frequently appeared in file names and other communication.

Drupal released a patch for the vulnerability in March, but its effects have been pervasive. According to Drupal’s “FAQ about SA-CORE-2018-002," the NIST Common Misuse Score for the vulnerability is 24/25, or “highly critical.” The open source content-management framework provider said that data is at risk, as is exfiltration with nothing in the way of a paper trail.

On March 28, Drupal wrote: “A successful exploit of the vulnerability can have a dramatic impact on the site.” It continued: “Sites not patched by Wednesday, April 11, 2018, may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.”

See Related: Incident Of The Week: Hackers Take Out Caribbean Govt., Access Railway Data

The host suggested that updates may not remove backdoors or fix compromised sites, and that builders should update and investigate. The vulnerability was reportedly discovered in “general research into the security of Drupal.”

In an update to SA-CORE-2018-002 on April 13, Drupal wrote that if sites were not updated, “you should assume (it) has been targeted and follow directions for remediation…”

The security team said it was aware of “automated attacks (which) attempted to compromise Drupal 7 and 8 websites using the vulnerability…”

The update suggested that attackers may have inserted access points in the database, code, files directory and other locations.

The incident is ongoing, as Drupal released new information on April 23, saying that an update would take place that was “outside of the regular schedule of security releases.” It said that there is “some risk that exploits might be developed within hours or days.”

Incident of the Week Drupal Vulnerability

Cue the Muhstik botnet which attackers are leveraging to install cryptocurrency miners and launch DDoS attacks. According to Netlab 360, at least three groups of malware campaigns are exploiting the Drupal vuln.

“We noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for a quit [sic] a time,” Netlab 360 researchers wrote in their report. “We name it muhstik, for this key word keeps popup [sic] in its binary name and the communication IRC channel.”

See Related: Incident Of The Week: Hackers Target U.S. Gas Pipelines

Netlab says that the vulnerability is worth noting and/or addressing, for it has worm propagation properties, is long-standing, uses seven exploits and uses xmrig, cgminer and DDoS for profit.

Commenting on this hard-hitting Drupal vulnerability, ESG Global Research Senior Analyst and Group Director, Doug Cahill, told the Cyber Security Hub: “Vulnerability mitigation needs to start in development and continue into production. Developers should be performing static code analysis, ideally with solutions that integrate their SDLC tool set.”

He continued: “In test environments we should be wringing out known vulns and hardening configs. And then in production to deal with such situations, virtual patching that looks for exploit behavior to detect and prevent anomalous net-flow activity should be employed.”

Nevertheless, Drupal’s security updates appear to be working against the clock to shore up its systems before more data or sites, en masse, are compromised.

Be Sure To Check Out: Incident Of The Week: Ransomware Cripples Atlanta City Government

Tags: Cyber Security Incident of the Week Vulnerability Vuln Botnet Muhstik CMS Content Management Security Updates Drupal IT Tech

Upcoming Events

Building high-performing development teams: Harnessing tools, processes & AI

02 May, 2024
Online

Register Now | View Event
Building high-performing development teams: Harnessing tools, processes & AI

Digital Identity Week

June 11 - 13, 2024
Melbourne, Victoria

Register Now | View Agenda | View Event
Digital Identity Week

Anti-Financial Crime Exchange Europe 2024

September 19-20
Frankfurt, Germany

Register Now | View Agenda | View Event
Anti-Financial Crime Exchange Europe 2024
MORE EVENTS

Follow Us

         

Latest Webinars

Building high-performing development teams: Harnessing tools, processes & AI

2024-05-02
11:00 AM - 12:00 PM EDT

Discover how to enhance your development team’s efficiency through advanced tools, Agile methodologi...
Building high-performing development teams: Harnessing tools, processes & AI

Building cyber resilience

2024-04-24
11:30 AM - 12:30 PM SGT

Why it’s essential that technology seamlessly connects IT, security, risk and the business
Building cyber resilience

Strategies to enhance secure customer onboarding

2024-03-27
11:30 AM - 12:30 PM SGT

Focus on achieving speedy and secure customer onboarding and combat user lifecycle fraud with phone...
Strategies to enhance secure customer onboarding
MORE WEBINARS

RECOMMENDED

FIND CONTENT BY TYPE

Cyber Security Hub COMMUNITY

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Learn more
iqpc logo

Cyber Security Hub, a division of IQPC

© 2024 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC| Contact Us | About Us | Cookie Policy