Drupal 7 Compromises Leading to RIG Exploit Kit

Over the last several days, RiskIQ has observed numerous incidents involving visits to sites running on the Drupal content management system. Several installations of Drupal 7 have been observed serving an injected script tag that directs site users to sites hosting the RIG exploit kit.

Observed instances of RIG incidents tied to campaign

The same RIG infrastructure (identified by second level DNS domains) is also receiving traffic from sites running WordPress, with similar compromise patterns.

On October 15, the Drupal project published advisory SA-CORE-2014-005 (and accompanying FAQ) containing information about a SQL injection vulnerability in the database abstraction API layer, which was itself vulnerable to unauthenticated SQL injection by unauthenticated remote users. SQL injection flaws can pave the way for privilege escalation, arbitrary code execution, account takeover and, in some cases, complete compromise of an application or server. SQL injection is a common technique used to insert malicious script tags into website content to drive traffic to blackhat infrastructure.

On October 29, the Drupal project published a public service announcement notifying users of confirmed reports of mass SQL injection attacks leveraging the disclosed vulnerability. Drupal rates the impact of the vulnerability as 25/25; it further states:

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Examples

The following Drupal-based websites were observed driving traffic to the exploit kit infrastructure. Incident links are provided to view additional information about observed activity. The method of redirection for the drive-by download is simple compared to many other active malware distribution campaigns; the iframe is injected into the site content directly, rendering at CMS page load time. The iframe points directly to the exploit kit landing page; no intermediary redirection/rotation (TDS) services are utilized to add misdirection, etc.

Popular Science (www.popsci.com) Incident link

Upon hitting a page returning a 404, the iframe is returned by the 404 handler.

Iframe redirecting Popular Science online visitors to RIG exploit kit

Homestead Technologies (www.homestead.com)

Web hosting firm Homestead also impacted:

iframe redirecting Homestead visitors to RIG exploit kit

Typepad (www.typepad.com) Incident link

iframe redirecting Typepad visitors to RIG exploit kit

Spin Magazine (www.spin.com) Incident link

iframe redirecting SPIN visitors to RIG exploit kit

Advertise.com (www.advertise.com) Incident link

iframe redirecting Advertise.com visitors to RIG exploit kit

Threat Indicators

Affected Drupal installations may be impacted by multiple attackers and leveraged for a variety of purposes. The activity RiskIQ has observed is driving traffic from affected sites to installations of RIG exploit kit, which serves a variety of browser and plugin exploits to visitors in an attempt to install malware on their systems. The RIG installations we’ve observed have been hosted on a number of rogue A records in compromised DNS zones pointing to the following host:

46.182.30.198 AS49505 | RU | ripencc | 2009-06-18 | SELECTEL OOO _Network of data-centers _Selectel_

AS49505 Selectel is a large Russian datacenter operator, and a common source of Eastern European cybercrime activity. Domain names found resolving to this IP address include:

adv.corrosionspeicalist.com

call.corrosionspeicalist.com

int.corrosionspeicalist.com

able.corrosionstandards.com

black.corrosionstandards.com

born.corrosionstandards.com

dream.corrosionstandards.com

art.gm9540.com

cross.gm9540.com

fellow.gm9540.com

twit.gm9540.com

above.gmw14872.com

add.saltfogtestlab.com

baron.corrosionstandards.info

bass.corrosionstandards.info

job.corrosionstandards.info

velvet.corrosionstandards.info

chekc.corrosioncenter.net

fly.corrosioncenter.net

plane.corrosioncenter.net

secureserver.corrosioncenter.net

sub.corrosioncenter.net

year.corrosioncenter.net

expert.corrosionexperts.net

focus.corrosionexperts.net

map.corrosionexperts.net

nod.corrosionexperts.net

story.corrosionexperts.net

corp.corrosionspecialist.net

inc.corrosionspecialist.net

int.corrosionspecialist.net

product.corrosionspecialist.net

snake.corrosionspecialist.net

tone.corrosionspecialist.net

video.corrosionspecialist.net

crown.corrosionstandards.net

dodge.corrosionstandards.net

hit.corrosionstandards.net

island.corrosionstandards.net

jaunt.corrosionstandards.net

look.corrosionstandards.net

relay.corrosionstandards.org

Recommendations

We offer the following advice regarding the observed activity:

• Users everywhere should add identified IP and domain indicators to blacklists and to monitoring to ensure any resulting impact from these attacks is identified. Some domain names are related to previous activity and may be used to audit for past impact. Some are used for attacks today, and others are staged to be used in attacks going forward.
• Operators of Drupal CMS installations are urged to verify that all available updates are applied. This relates not only to the discussed vulnerability in Drupal 7 core, but also any additional modules that are installed, including third-party software modules. Most exploitation occurs using known, patched vulnerabilities that are not mitigated in a timely manner. Closing known exposures goes a long way in avoiding compromise.
• Many organizations outsource or contract their website operation and maintenance to a third-party design firm. Many service providers base customer websites on CMS projects such as Drupal. Organizations that are aware of Drupal being used for their web platform should contact their provider to verify currency and request an update if they are vulnerable. It might also be a good time to check in with the firm to validate which CMS is running on the site and if it is current, and review contract terms to make sure that regular and timely vulnerability remediation is ensured.
• Drupal CMS operators affected by this attack activity should take note of advice given in PSA-2014-003 regarding recovery from a site compromise. Patching Drupal to the latest version will prevent known exploits from affecting the site further, but analysis of the affected CMS and associated data in the database and scripts in the web root will be required to recover from the attack and restore site integrity.
• Operators of any web property should be aware of threats that target users of their services or use them as a basis to spread malware. Numerous types of exposures may allow an attacker to compromise a web property and introduce alterations which silently and transparently redirect site visitors to malicious sites in the background. These situations erode customer trust and can cost organizations valued business due to reputational impact. RiskIQ can monitor websites for signs of malicious activity affecting Internet users with our technology platform that browses a site like a real user would, highlighting malicious redirections, malware distribution, fraudulent content hosting and more.

Back to RiskIQ Blog