Threat actors are using the DirtyCOW bug to exploit a backdoor in Drupal Web Servers.

Impreva researcher Nadav Avital spotted the attack on Oct. 31 exploiting the Drupalgeddon2 and DirtyCOW, bugs as well as system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines, according to a Nov. 19 blog post.

Researchers noted this is unusual as previously remote code execution (RCE) attacks on web servers were usually once-off security events in which the attacker would run their code and that was it.

But as attackers started opting for persistent attacks they could more easily re-infect vulnerable servers in case the process was terminated or after a server restart, or even run additional malware.

“First, the attacker builds a word list by locating all of Drupal’s settings files and extracting any line with the word “pass” in it,” Avital said. “Then, armed with a potential list of passwords, the attacker tries to use the operating system command ‘su root’ to change the user to root.”

Avital added that if the attacker succeeds in changing the user, they can then download the secondary payload ‘sshdstuff’ and execute the attack.

The attacker in the most recent attempt exploited SSH in Linux by opening a communication channel through SSH and transmitting the malicious commands, which assume SSH service is installed in the targeted device. If the device isn’t running SSH, the threat actor will have to install in themselves.  

The threat actor then built a word list by locating all of Drupal’s settings files and extracting any line with the word “pass” in it, a step in which Avital noted could be useful as many administrators leave ‘root’ as the default user to connect from the web application to the database, before changing the user to root.

The technique will fail if the administrator was if the attacker careful and didn’t leave root passwords in the configuration files in which case the attacker will then look to exploit the DirtyCOW bug to escalate their privileges to root.

“The attacker downloads three different implementations of DirtyCOW and runs them one after the other,” Avital said. “One of the implementations is downloaded in its raw format (C source code file) and is compiled at runtime.”

Once the attacker switches to the root user and gains permission to install new services they install and configure SSH, add their key to the list of authorized keys used by the service and as long as the machine is running, have the ability to remotely transmit any command as the user root

Avital noted that the two-year-old bug still has a zero detection rate in VirusTotal, and recommends administrators ensure their web applications and host systems are fully patched. If possible, he recommends they use an external cybersecurity solution to ensure attacks never reach the server in the first place.