Hundreds of Drupal Sites Targeted With Fake Ransomware (softpedia.com)

← Back to Stories (view on slashdot.org)

Hundreds of Drupal Sites Targeted With Fake Ransomware (softpedia.com)

Posted by EditorDavid on Sunday May 22, 2016 @09:30AM from the scanbots-for-dollars dept.

An anonymous reader writes: A group of hackers have created a ransomware strain that specifically targets Drupal sites. Infection occurs thanks to an automated bot which scans Drupal sites and then uses an SQL injection (CVE-2014-3704) to change the site admin's password. The bot also dumps any emails it finds on the server, and then overwrites the site's main page to show a typical ransomware note. Over 400 sites have been infected until now, but nobody has paid the ransom yet.

This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.

51 comments

Min score:

Reason:

Sort:

Haha by dnaumov · 2016-05-22 09:35 · Score: 1

Even the worst hosts provide backups? I see you are new to this whole hosting thing. Oh, and to how "normal" users behave.
1. Re:Haha by Anonymous Coward · 2016-05-22 10:25 · Score: 0
  
  Good call.
  The chance that a site will have a good backup policy is usually related to their potential for loss.
  A site with active shopping / support services could be badly impacted by even a few hours of downtime.
  It wouldn't send them into bankruptcy, but the cost to restore the site could still be substantial.
  Would they pay "insurance" to prevent such an unfortunate event?
  Looks like we will soon discover the answer.
2. Re:Haha by mlts · 2016-05-23 02:43 · Score: 1
  
  In my experience, a lot of places say they provide backups.
  Usable restores, on the other hand... different story.
  My recommendation is to dump the MySQL/MariaDB database (I use mysqldump and do a logical backup, as well as popping a snapshot), as well as snapshotting the core and other files needed for the Drupal site, shove all of that into a deduplicating backup program like Borg Backup, as well as every so often, take a tar archive and save that off in a separate location, just in case the backup program glitches. When it comes to backups, pack your own parachute. Don't expect someone to do it for you.
  It would be nice if providers giving shell access would use NetApp or another filesystem to allow backups to be pulled out using the .snapshot directory. This, combined with periodic dumps of the MySQL database to a directory would do well for short-term, "oh shit" recoveries.
SQL injection? by BitterOak · 2016-05-22 09:42 · Score: 1

Back when I used to develop sites in Drupal (which was a few years ago), all SQL queries were parameterized, as opposed to passing variable data as part of the query string. I thought this was supposed to protect you from SQL injection attacks. Am I missing something, or are they attacking very, very old Drupal installations?

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
1. Re:SQL injection? by Anonymous Coward · 2016-05-22 09:52 · Score: 0
  
  Am I missing something
  The power of open source!!!!!!111111111eleven - many mediocre eyes looking at mediocre scribblings. And then you have contrib modules, which receive much less attention than core.
  In fairness, of course, this isn't an open source thing. With few exceptions, nobody does proper auditing/testing on software, because it's a giant, expensive pain in the ass and nobody would get anything else done.
2. Re:SQL injection? by Anonymous Coward · 2016-05-22 10:03 · Score: 0
  
  CVE-2014-3704, ahem
3. Re:SQL injection? by chipschap · 2016-05-22 10:04 · Score: 1
  
  The power of open source!!!!!!111111111eleven - many mediocre eyes looking at mediocre scribblings.
  As opposed to proprietary closed source, which is very often a handful of weak eyes looking at lunatic ravings.
4. Re:SQL injection? by Anonymous Coward · 2016-05-22 10:42 · Score: 4, Informative
  
  You are missing something, more precisely you are missing the fact that Drupal was written in PHP. If you want to iterate over an array in PHP you will probably write something like this:
  foreach($array as $key => $data) { ... }
  A construct like that was used in Drupal to construct an SQL query with a list of named parameters, the values for which were then supplied later. You'd get an SQL clause like this:
  ... IN (:idlist_1, :idlist_2, :idlist_3) ...
  And the values would be filled in and escaped by the SQL backend later. Array indices are numbers, so it's all perfectly safe, right? The thing is, PHP contains a critical security bug in that it doesn't enforce declaring the distinction between arrays and maps. So if an attacker can somehow trick the code into executing on a map, $key might be a string containing arbitrary SQL commands which will be executed as is.
  Note that in many languages this cannot happen because an array is not a map, but PHP is unsafe by default here. Yes, if you know about this issue you can work around it, for example by inserting a call to array_values, but the language should really be changed to make it distinguish arrays and maps, and to make impossible to use maps as arrays. It is especially unforgivable since PHP was designed for the web and to be easy to use by novice programmers.
  Link to CVE page.
  Link to earlier /. discussion.
5. Re:SQL injection? by Anonymous Coward · 2016-05-22 20:08 · Score: 0
  
  It's true that old PHP makes this kind of error easy. But the language has evolved over the years; unfortunately, the big CMSs haven't kept up in the name of backwards compatibility. This particular one is easily fixed with $array = array_values($array);
  If using modern PHP and a modern framework and ORM (eg, Symfony and Doctrine) then this kind of issue doesn't come up.
6. Re:SQL injection? by Anonymous Coward · 2016-05-23 16:58 · Score: 0
  
  ‘old PHP’ – That is false. The same security bug still exists in PHP 7.0.6, and worse still, it isn't called out in the documentation at all. I cannot understand how people can be so irresponsible.
  As I said before, it is possible to work around it, but PHP was meant to be for the web and for novice developers. The fact that you can work around it, with a call to array_values or by coding the loop differently or by using a hopefully bug-free ORM that hides the SQL from you altogether and hoping you'll never have to iterate over an array yourself, therefore means very little, especially since the official documentation itself makes no mention of this issue.
  How exactly is a novice programmer supposed to know that this security bug exists? How is someone reviewing the code who hasn't been warned about the issue beforehand supposed to catch that foreach may not do what you think it does, especially when he's a novice or hasn't got as much time as he'd like?
  This issue manifested in a major CMS. If they cannot do it right, it's unreasonable to expect most PHP programmers to get it right anyway.
Easy fix by Kyogreex · 2016-05-22 09:43 · Score: 1

The backups may not even be necessary. Just as the attacker changes the password, unless something has changed with Drupal you can also quite easily change the password simply by hashing a new one. Fixing what damage they've done to the site itself is a little work, but it's not like this would make it unrecoverable.
1. Re:Easy fix by Anonymous Coward · 2016-05-22 10:03 · Score: 0
  
  Look at some of the more clever PHP backdoors in stuff like Wordpress or Joomla. You need to be on top of your game to make sure there isn't anything left behind to allow access at a later date.
  You need to check all the files to make sure they haven't been modified from the standard installation or whatever custom changes you're running, check all the images on the site to make sure code hasn't been embedded, naturally all passwords are getting reset top to bottom. Having checksums or something to diff against is a big help.
2. Re:Easy fix by drinkypoo · 2016-05-22 11:49 · Score: 1
  
  You need to check all the files to make sure they haven't been modified from the standard installation or whatever custom changes you're running,
  If you've backed up your themes, then you can just reinstall the files, which takes but moments. There's no reason save curiosity to check over files. Just get them all from the clean source and reinstall them. Unless you're a total glutton for punishment, you've only got a few modules installed anyway.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Easy fix by Anonymous Coward · 2016-05-22 14:47 · Score: 0
  
  you have had someone compromise your system at the admin level. You would be a fool to not recover from backup and obliterate your current site from space as you can never be certain the only thing they did was change your password.
infected back up by Anonymous Coward · 2016-05-22 09:45 · Score: 0

If backups are made every Saturday at 5pm, infect site at 4:49pm
That said if my site was infected and ransom was cheap and fast, I would pay for convenience. Even if I had offsite backup.
1. Re:infected back up by mspohr · 2016-05-22 10:50 · Score: 1
  
  Maybe the next version of the ransomware could do an automatic backup of the site before infecting it and then restore this backup as a "service" for an extra fee.
  Sounds like you would find this useful.
  
  --
  I don't read your sig. Why are you reading mine?
time delayed by Anonymous Coward · 2016-05-22 09:50 · Score: 0

"even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."
I'd imagine the backups they keep are only for a couple weeks. Time delay the obvious symptoms (ransomeware prompts) for a few weeks. Backups won't do much good then. You're welcome.
Make another CMS by Billly+Gates · 2016-05-22 09:50 · Score: 0

Drupal and WordPress are horrible! Why can't someone make one that is easy to modify, doesn't take a year to learn, made in a real language like Erlang, and can be updated without being root automatically?
Is that really so hard. Shit we should make another one? It can't be all that hard?

--
http://saveie6.com/
1. Re: Make another CMS by Anonymous Coward · 2016-05-22 10:42 · Score: 0
  
  Nobody can be bothered to do it
2. Re:Make another CMS by Anonymous Coward · 2016-05-22 12:38 · Score: 0
  
  Get cracking!
3. Re:Make another CMS by Anonymous Coward · 2016-05-22 13:50 · Score: 0
  
  They have them, they just aren't popular. The problem is that the big two are so ubiquitous that all people do is learn those (or even just one of them and not very well at that) and think they are all set. Just look at how many sites git nailed due to out-of-date plugins or themes. If they can't be bothered to make sure their installs are up-to-date, they certainly aren't going to spend time on an esoteric CMS, especially one outside the LAMP stack.
  Also, FWIW, the most popular Erlang one is probably Zotonic.
hudreds? by v1 · 2016-05-22 09:52 · Score: 1

not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?
And how does anyone (other than the malware author author) know that nobody has paid them yet?
Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money. (not for long anyway, and not more than once) We wouldn't see 99% of the hackery on the internet that we do today (spam, ransomware, phishing, advertisement, scareware, viruses/worms) if they handn't found a way to cash in on their efforts.

--
I work for the Department of Redundancy Department.
1. Re:hudreds? by Anonymous Coward · 2016-05-22 10:24 · Score: 0
  
  It is exploiting a hole in a realtively commonly used technology stack, one that has inherent shitty security to begin with. If it was ONLY a couple of hundred sites then no it probably would not matter, the reality is it will continue to escalate as most people that run this stuff are awful at patching and maintaining it, it is really a lot like wordpress.
2. Re:hudreds? by _Sharp'r_ · 2016-05-22 11:19 · Score: 4, Informative
  
  From the article, it's about 400 sites. Pretty easy to find infected sites with Google, since it changes the home page of the site.
  
  And how does anyone (other than the malware author author) know that nobody has paid them yet?
  The ransom is to be paid to a specific bitcoin address, so anyone can look at the blockchain and see how much bitcoin has ever been transferred to that address. The answer being 0 makes the folks in the article pretty confident nothing has been paid so far.
  The infected sites appear to be mostly abandoned by their creators, which explains why they're 2 years behind in Drupal 7.x security updates.
  
  --
  The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
3. Re:hudreds? by drinkypoo · 2016-05-22 11:47 · Score: 1
  
  not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?
  It's actually only a small percentage of a small percentage of Drupal sites, let alone of all sites. Drupal has become massively popular because it sucks less than WP.
  
  Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money.
  Eh, maybe. Before I knew anything about security the geek house I was living in got hacked through an apache vuln by someone calling themselves "Kunt". They replaced all the index.html files with their own message about proper security. There's all kinds of motivations. Luckily my personal pages were RCS'd so I could just check them out again.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not every site is backed up by justcauseisjustthat · 2016-05-22 09:57 · Score: 1

"even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.", sorry, but there are so many newbie developers building sites and cheap business owners that they don't enable backups or aren't willing to pay for it. There are plenty of sites with no backup!
Simply unpossible! by Anonymous Coward · 2016-05-22 10:10 · Score: 0

It's open sores and this never happens with open sores softwares! But maybe the cause is the fact that it's a stupid name...
delusion submitter? by bloodhawk · 2016-05-22 10:10 · Score: 4, Insightful

"This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."

WTF, the writer of this post lives in a delusional bubble. Most sites don't have backup's, backups cost money. Ransomware exists because it is extremely successful, it only has to work on 1 in a hundred or 1 in a thousand to make it profitable.
1. Re:delusion submitter? by drinkypoo · 2016-05-22 11:44 · Score: 1
  
  Most sites don't have backup's, backups cost money.
  I pay $1/mo for my hosting and I have backups. Not a lot of them, but still.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:delusion submitter? by Anonymous Coward · 2016-05-22 14:28 · Score: 0
  
  and you would be the exception rather than the rule on a lot of the smaller sites.
3. Re:delusion submitter? by Anonymous Coward · 2016-05-22 20:12 · Score: 0
  
  You assume competence. There are lots of shops that are big enough that they can't really run on shared hosting, but aren't big enough to hire competent sysadmins who make backups. Even with this, most shared hosts must be configured to make proper backups.
Ransomware DDOS botnets run on Windows .. by tetraverse · 2016-05-22 10:13 · Score: 1

Didn't you leave out the most important bit?
1. Re:Ransomware DDOS botnets run on Windows .. by Bing+Tsher+E · 2016-05-22 12:01 · Score: 1
  
  In the future they will run on whatever is the most used desktop operating system that ordinary people use to connect to the Internet.
2. Re:Ransomware DDOS botnets run on Windows .. by Anonymous Coward · 2016-05-22 18:43 · Score: 0
  
  What has that got to do with this LINUX based ransomware example? Is it simply to make you feel better that you aren't the only turd in the toilet bowl?
3. Re:Ransomware DDOS botnets run on Windows .. by khz6955 · 2016-05-22 19:19 · Score: 1
  
  "We wants it, we needs it, must have the precious, they stole it from us"
4. Re:Ransomware DDOS botnets run on Windows .. by Anonymous Coward · 2016-05-22 21:01 · Score: 0
  
  No. There's ransomware for Linux. It's been on the market for months. But only targeted servers and not desktops.
Most host-provided backups don't actually work by raymorris · 2016-05-22 10:15 · Score: 2

Further, of the perhaps 12 hosting companies we've contacted about restoring backups, most of the time the backups didn't actually work. A common scenario was that the backups stopped working several months earlier but nobody noticed until they were needed.
That type of experience, and web hosting companies that go out of business, eventually forced us to create Clonebox.
1. Re:Most host-provided backups don't actually work by Anonymous Coward · 2016-05-22 13:42 · Score: 0
  
  We had a hosting provider that did backups. Then we suffered an exploit. We alerted the provider to do a restore from the last known good (a few days before as they hit over the weekend). Well, they told us that they did not have backups that far back, they could only restore to the day before.
  And yes, the exploit was in an out-of-date wordpress install they had migrated our site to, from a fully-patched one for "load balancing" purposes. Suffice it to say, we ended up finding a new host.
Self-defeating by johnsmithperson123 · 2016-05-22 10:19 · Score: 2

You know, you could actually use the exploit to change the sites password back, right? And if it's just the main page, even if it isn't backed up it isn't much work to rebuild (well, relatively anyway). Unless they patched it after your site got infected.
squaregroup by Anonymous Coward · 2016-05-22 10:25 · Score: 0

I know they use this breach for dirty business. Oh BTW, don't you mind telling me what to do. I told you before and reapeat: I hate you for the rest of my life. And since when polish cyber criminals can do whatever they want?
Ah, hey helena, você é uma filha da puta sem noção. Eu te odeio hoje, vou te odiar amanhã, você e todas as pessoas que você conhece, não passam de um monte de merda pra mim.
Eu estou a 5 meses tentanto te convencer que não adianta bancar a última bolacha do pacote. Tem 3 bilhões de mulheres no mundo, e você deixou de ser interessante a partior do momento que mostrou essa tua cara de retardada e essa familia podre.
What's fake about it? by twdorris · 2016-05-22 11:04 · Score: 2

Sounds real to me.
Lame, perhaps, but certainly real to the extent that someone is (at least temporarily) locked out of their system and has to take steps to restore it or pay the ransom.
From the fine article, it didn't bother encrypting anything so that certainly bumps it way up on the lame scale. But it's not like people received notices in their inbox demanding ransom for something that never got installed.
WTF? So so wrong by JustAnotherOldGuy · 2016-05-22 11:22 · Score: 1

"even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."
This is so wrong it gave me brain cancer.
NESFLASH: Lots of hosts don't provide backups, automatic or otherwise. Ask me how I know.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:WTF? So so wrong by Anonymous Coward · 2016-05-23 10:29 · Score: 0
  
  how do you know?
Also if they've lost big before and learned by raymorris · 2016-05-22 11:53 · Score: 1

> The chance that a site will have a good backup policy is usually related to their potential for loss.
I would say that more than half of companies who sign up for our backup/warm spare service do so right AFTER a loss incident. Their web hosting company has a fire, or vanishes in the night, or they get rooterd or whatever and they realize they should have had a solid backup. They get Clonebox to make sure that kind of thing doesn't happen again.
My stats are a bit skewed because they often call us for help recovering a borked server. We point out that a solid backup would have cost a lot less than trying to recover from a really bad situation.
Version by l0n3s0m3phr34k · 2016-05-22 14:26 · Score: 1

per the TFA "affects Drupal 7.x installations prior to version 7.32." My Drupal site is at 7.43. 7.33 was released in November 7, 2014. This exploit is actually discussed On Drupal's Security advisories page, and they admit "Multiple exploits have been reported in the wild following the release of this security advisory" lol. Then there is a PSA about it too. Not surprised no one has paid on this yet; if you haven't updated your Drupal site in two years you probably don't really care that much about it haha.
If you're dumb enough to use Drupal by Anonymous Coward · 2016-05-22 19:02 · Score: 0

...then don't be surprised when this kind of shit happens to you.
I recommend a product called "literally anything else" as an alternative to Drupal.
Not really a big piece of news ... by Qbertino · 2016-05-22 21:13 · Score: 1

I'm not a Drupal Fan - WordPress and sometimes Joomla are my goto PHP CMSes - but this isn't really that big a newspiece, considering the install base Drupal has.
It's like saying WordPress is the Bane of the Web because 8000 Websites were hacked. 8000 out of 105 000 000 (105 Million) Installations isn't really that much. I doubt any other platforms can claim measureably better security.

--
We suffer more in our imagination than in reality. - Seneca
1. Re:Not really a big piece of news ... by Anonymous Coward · 2016-05-22 22:18 · Score: 0
  
  I'm not a Drupal Fan - WordPress and sometimes Joomla are my goto PHP CMSes - but this isn't really that big a newspiece, considering the install base Drupal has.
  It's like saying WordPress is the Bane of the Web because 8000 Websites were hacked. 8000 out of 105 000 000 (105 Million) Installations isn't really that much. I doubt any other platforms can claim measureably better security.
  Wordpress really is a badly written piece of software.
  It's the kind of legacy code that really can't be fixed without a wholesale rewrite. But they can't do that because it would break all the existing plugins and templates, which are the lifeblood of its ecosystem. Classic catch-22. So they just have to sit there and keep the rubbish, and just keep telling people not to peek behind the curtain.
  Joomla, on the other hand, I can wholeheartedly agree with you on. It is a pretty well-written application. I'd suggest that you should consider using Joomla a bit more and Wordpress a bit less.
2. Re:Not really a big piece of news ... by Ice+Station+Zebra · 2016-05-23 02:00 · Score: 1
  
  It is the pay for plugin market that really is killing wordpress, but it is also what keeps it going. You have a million marketers saying that wordpress is the greatest thing since sliced bread, because that is how they get their bread. Last I looked at joomla, it was in the same sorry state. Drupal is still the only truly free cms.
How is it fake? by wonkey_monkey · 2016-05-22 22:49 · Score: 1

Hundreds of Drupal Sites Targeted With Fake Ransomware
What's fake about it?

--
systemd is Roko's Basilisk.
1. Re: How is it fake? by Anonymous Coward · 2016-05-23 00:25 · Score: 0
  
  I'm sorry that you're incapable of understanding. Perhaps you should go eat a dick instead.