Drupalgeddon 2 & 3 Madness: Exposing Websites to Critical Vulnerabilities

At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.

In the past few months, Content Management System (CMS) giant Drupal made several announcements that have broad ramifications for online security. Drupal is an open-source framework which is the second largest CMS in the world and serves 9% of all CMS-backed websites.

On March 28th, Drupal first announced the discovery of Drupalgeddon 2, a Remote Code Execution (RCE) Vulnerability (CVE-2018–7600) affecting all Drupal releases to date. Soon after on April 12th, the first proof-of-concept code was made publicly available for research, yet the code had already been used by attackers remotely and anonymously to exploit Drupal websites.

On April 25th, Drupalgeddon 3 was released, another critical Drupal RCE vulnerability. Sophisticated hackers were able to exploit the code hours after the publication of the vulnerability. Proofs of concept were released several days later, enabling less sophisticated hackers to utilize the vulnerability as well.

Hackers love RCE vulnerabilities, which enable attackers to make money from two paths. The first path allows the attacker to hijack more resources in the network and the second path allows the attacker to also infect the website’s visitors.

Example of a kill chain relevant to Drupalgeddon 2

Once their malicious code is running, hackers have a variety of options, including mining cryptocurrency, stealing data, and installing ransomware.

Map of potential hacker options after malicious code is installed

additional technical details of the vulnerabilities can be found at the following sites:

Severity and likelihood of RCE exploits

Severity:

RCE are the most critical vulnerabilities due to the severity of a successful attack.

Normally a successful attack would lead to pawning of a single server and the infection of all of the website’s visitors. In the worst case, the attacker would also move laterally in the network to hijack more servers.

Likelihood:

Attackers will act indiscriminately using search engines (such as Shodan) to automate the discovery of websites with Drupal. Readily available code will enable the automation of the process to attack large batches of companies.

Easily automatable vulnerabilities lead to a high likelihood of attack.

Impact on cyber insurance

This Drupal vulnerability is one of many implementations of RCE Vulnerabilities with multiple impacts on companies.

These types of attacks are likely to lead to the following types of insurable damages:

  1. Cyber Attack: Including the cost of contractors to help respond to an incident
  2. Extortion: Payment demanded by the attacker
  3. Business interruption: Resulting in loss of revenues from the website or lack of productivity
  4. Data Breach: Notification, legal, credit monitoring, and regulatory costs

The same post-breach graph, color coded with the triggered coverages.

How different hacker route trigger different kinds of insurable damage

How to protect against Drupalgeddon attacks

Patch! The Drupal security team has created an FAQ to help their users patch and make sure they are secure.

However, patching is sometimes difficult, and always takes time. Sophisticated hackers exploit new vulnerabilities in a matter of hours, and less sophisticated hackers within days. Therefore, patching is a less viable solution to keep organizations safe.

A better approach than patching as soon as every vulnerability is published is to use security technology designed to keep assets safe. An available solution for websites and web applications is a Web Application Firewall (WAF), which provides a buffer for the time required to patch.

We can safely recommend the following WAF vendors Incapsula, Cloudfare, and Sucuri to reinforce security and reduce exposure to vulnerabilities.

Etai Hochman

At-Bay, CTO