Just days after Drupal released patches for “highly critical” security flaws affecting the CMS, attackers are exploiting it to install cryptocurrency miners on enterprise websites.
The flaw, tracked as CVE 2019-6340, allows a remote attacker to run arbitrary code on an affected Drupal site and potentially comprise the web server.
Drupal warned website admins last week that it was preparing to release a patch for a severe flaw that affected the 8.5.x and 8.6.x branches of the software.
Given past attacks using last year’s trio of Drupalgeddon flaws, there was a high chance that attackers would use the new flaw soon after it became known.
Drupal recommended disabling all web services modules to mitigate potential attacks until the appropriate Drupal core patches had been installed.
But researchers at Ambionics Security found their exploit for the Drupal flaw still worked despite the recommended mitigation steps to disable PUT/PATCH/POST requests to web services resources.
The company released a proof of concept exploit, which demonstrated that it was still possible to issue a GET request and remotely exploit the bug.
Security firm Imperva has since discovered “dozens” of attack attempts using the exploit, including against sites operated by government and financial services organizations.
The current round of attacks deliver several payloads, including one that tries to inject a Javascript crypto-jacking malware called CoinIMP that uses a site’s visitors hardware to mine the Monero and Webchain cryptocurrencies.
The payload also attempts to install an uploader that allows an attacker to upload files of their choice when they want.
The attacks aren’t as widespread as those in the first half of 2018 that exploited the series of Drupalgeddon flaws. But these similarly were used to install back doors and crypto miners.