Recently Patched Drupal RCE Flaw Discovered Actively Exploited in the Wild

security Governance trends 1/5 (2)

Threat actors have already started exploiting recently patched Drupal RCE flaw (CVE-2019-6340) to deliver cryptocurrency miners.

Earlier this week Drupal patched a critical remote code execution flaw (CVE-2019-6340) in Drupal Core which could allow attackers to execute arbitrary PHP code.

“Some field types do not properly sanitize data from non-form sources which can lead to arbitrary PHP code execution in some cases.” said in the security advisory published by Drupal.

Just two days after the patches were released, a proof-of-concept (PoC) exploit code for the vulnerability was made publicly available.

Now security researchers at Imperva discovered a series of attacks exploiting the CVE-2019-6340 flaw just after exploit code was published. The attack started three days after the Drupal patched the vulnerability.

Attacks were originated from several attackers and countries targeting vulnerable Drupal websites including sites in the government and financial sectors.

“Imperva research teams constantly analyze attack traffic from the wild that passes between clients and websites protected by our services. We’ve found dozens of attack attempts aimed at dozens of websites that belong to our customers using this exploit, including sites in government and the financial services industry.”

Attackers were discovered using a few interesting payloads in the series of attacks. One of the payloads attempts to inject a Javascript cryptocurrency miner named CoinIMP into the index.php file of the targeted website to mine Monero and Webchain cryptocurrencies.

The attacker also tried to install to install a shell uploader to upload arbitrary files on the targeted website.

Drupal released version Drupal 8.6.10 and 8.5.11 to address the vulnerability. For Drupal 7 No core update is required but several Drupal 7 contributed modules  should be updated.

All admins and users are advised to immediately update their Drupal websites.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Several Photo Editing Apps Found Stealing Users Photos


Please rate this content