Over the last several days, RiskIQ has observed numerous incidents involving visits to sites running on the Drupal content management system. Several installations of Drupal 7 have been observed serving an injected script tag that directs site users to sites hosting the RIG exploit kit.
Observed instances of RIG incidents tied to campaign
The same RIG infrastructure (identified by second level DNS domains) is also receiving traffic from sites running WordPress, with similar compromise patterns.
On October 15, the Drupal project published advisory SA-CORE-2014-005 (and accompanying FAQ) containing information about a SQL injection vulnerability in the database abstraction API layer, which was itself vulnerable to unauthenticated SQL injection by unauthenticated remote users. SQL injection flaws can pave the way for privilege escalation, arbitrary code execution, account takeover and, in some cases, complete compromise of an application or server. SQL injection is a common technique used to insert malicious script tags into website content to drive traffic to blackhat infrastructure.
On October 29, the Drupal project published a public service announcement notifying users of confirmed reports of mass SQL injection attacks leveraging the disclosed vulnerability. Drupal rates the impact of the vulnerability as 25/25; it further states:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Examples
The following Drupal-based websites were observed driving traffic to the exploit kit infrastructure. Incident links are provided to view additional information about observed activity. The method of redirection for the drive-by download is simple compared to many other active malware distribution campaigns; the iframe is injected into the site content directly, rendering at CMS page load time. The iframe points directly to the exploit kit landing page; no intermediary redirection/rotation (TDS) services are utilized to add misdirection, etc.
Popular Science (www.popsci.com) Incident link
Upon hitting a page returning a 404, the iframe is returned by the 404 handler.
Iframe redirecting Popular Science online visitors to RIG exploit kit
Homestead Technologies (www.homestead.com)
Web hosting firm Homestead also impacted:
iframe redirecting Homestead visitors to RIG exploit kit
Typepad (www.typepad.com) Incident link
iframe redirecting Typepad visitors to RIG exploit kit
Spin Magazine (www.spin.com) Incident link
iframe redirecting SPIN visitors to RIG exploit kit
Advertise.com (www.advertise.com) Incident link
iframe redirecting Advertise.com visitors to RIG exploit kit
Threat Indicators
Affected Drupal installations may be impacted by multiple attackers and leveraged for a variety of purposes. The activity RiskIQ has observed is driving traffic from affected sites to installations of RIG exploit kit, which serves a variety of browser and plugin exploits to visitors in an attempt to install malware on their systems. The RIG installations we've observed have been hosted on a number of rogue A records in compromised DNS zones pointing to the following host:
46.182.30.198 AS49505 | RU | ripencc | 2009-06-18 | SELECTEL OOO _Network of data-centers _Selectel_
AS49505 Selectel is a large Russian datacenter operator, and a common source of Eastern European cybercrime activity. Domain names found resolving to this IP address include:
adv.corrosionspeicalist.com
call.corrosionspeicalist.com
int.corrosionspeicalist.com
able.corrosionstandards.com
black.corrosionstandards.com
born.corrosionstandards.com
dream.corrosionstandards.com
art.gm9540.com
cross.gm9540.com
fellow.gm9540.com
twit.gm9540.com
above.gmw14872.com
add.saltfogtestlab.com
baron.corrosionstandards.info
bass.corrosionstandards.info
job.corrosionstandards.info
velvet.corrosionstandards.info
chekc.corrosioncenter.net
fly.corrosioncenter.net
plane.corrosioncenter.net
secureserver.corrosioncenter.net
sub.corrosioncenter.net
year.corrosioncenter.net
expert.corrosionexperts.net
focus.corrosionexperts.net
map.corrosionexperts.net
nod.corrosionexperts.net
story.corrosionexperts.net
corp.corrosionspecialist.net
inc.corrosionspecialist.net
int.corrosionspecialist.net
product.corrosionspecialist.net
snake.corrosionspecialist.net
tone.corrosionspecialist.net
video.corrosionspecialist.net
crown.corrosionstandards.net
dodge.corrosionstandards.net
hit.corrosionstandards.net
island.corrosionstandards.net
jaunt.corrosionstandards.net
look.corrosionstandards.net
relay.corrosionstandards.org
Recommendations
We offer the following advice regarding the observed activity:
- Users everywhere should add identified IP and domain indicators to blacklists and to monitoring to ensure any resulting impact from these attacks is identified. Some domain names are related to previous activity and may be used to audit for past impact. Some are used for attacks today, and others are staged to be used in attacks going forward.
- Operators of Drupal CMS installations are urged to verify that all available updates are applied. This relates not only to the discussed vulnerability in Drupal 7 core, but also any additional modules that are installed, including third-party software modules. Most exploitation occurs using known, patched vulnerabilities that are not mitigated in a timely manner. Closing known exposures goes a long way in avoiding compromise.
- Many organizations outsource or contract their website operation and maintenance to a third-party design firm. Many service providers base customer websites on CMS projects such as Drupal. Organizations that are aware of Drupal being used for their web platform should contact their provider to verify currency and request an update if they are vulnerable. It might also be a good time to check in with the firm to validate which CMS is running on the site and if it is current, and review contract terms to make sure that regular and timely vulnerability remediation is ensured.
- Drupal CMS operators affected by this attack activity should take note of advice given in PSA-2014-003 regarding recovery from a site compromise. Patching Drupal to the latest version will prevent known exploits from affecting the site further, but analysis of the affected CMS and associated data in the database and scripts in the web root will be required to recover from the attack and restore site integrity.
- Operators of any web property should be aware of threats that target users of their services or use them as a basis to spread malware. Numerous types of exposures may allow an attacker to compromise a web property and introduce alterations which silently and transparently redirect site visitors to malicious sites in the background. These situations erode customer trust and can cost organizations valued business due to reputational impact. RiskIQ can monitor websites for signs of malicious activity affecting Internet users with our technology platform that browses a site like a real user would, highlighting malicious redirections, malware distribution, fraudulent content hosting and more.