Crooks Used SQL Injections to Hack Drupal Sites and Install Fake Ransomware

Crooks Used SQL Injections to Hack Drupal Sites and Install Fake Ransomware

Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files.


The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read:


“  Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.  ”


A quick Google search for the Bitcoin address reveals that most websites are running on the Drupal CMS platform.


Information provided to Softpedia by Stu Gorton, CEO and Co-Founder of Forkbombus Labs, shows that the first infections started appearing on March 11 but really picked up speed after March 18.


Attackers using SQL injection flaw to get in

Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files.


The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the ad ..

Support the originator by clicking the read the rest link below.