A botnet made up of servers and smart devices has begun the mass exploitation of a severe Drupal CMS vulnerability and is using already compromised systems to infect new machines, in a worm-like behavior. The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.
Muhstik botnet starts attacking Drupal sites
Qihoo 360 Netlab researchers, along with experts from
GreyNoise Intelligence, have spotted the shift in this botnet's activity from various other exploits to the Drupalgeddon 2 vulnerability at the start of the week. The Netlab team has started referring to this botnet as Muhstik, based on the term used in many of its payloads.
At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.
