Malicious toolkit is hosted on machine located in Russia

Oct 31, 2014 12:51 GMT  ·  By

The public disclosure of a critical SQL injection vulnerability affecting all builds of Drupal 7, save for the last one, gave way to increased cybercriminal activity leveraging the RIG Exploit Kit to compromise website visitors through drive-by download attacks.

The bad actors would rely on a simple redirect method via an iframe injected into the code of the site, no traffic distribution system (TDS) being involved; thus, the URL in the iframe pointed straight at the landing page of the exploit kit, which would scan for unpatched versions of Java, Silverlight and Flash Player, and leverage them to add malware to the system.

Russian data center hosts the crimeware

RiskIQ, a company providing website scanning and navigation solutions for malware detection, has observed that many of the Drupal sites compromised through the SQL injection attack redirected to RIG Exploit Kit.

According to the data collected by the company systems, all instances of the malicious toolkit are hosted on a machine (46.182.30.198) part of the server fleet of Russian datacenter operator Selectel.

Among the websites hit by the cybercriminals are advertise.com, typepad.com, homestead.com (web hosting company also affected) and popsci.com (Popular Science).

RiskIQ says that Selectel is regularly used for criminal online activities by crooks in Eastern Europe.

Most of the domains hosting the exploit kit contain the “corrosion” string, with different variations and top-level domains (.COM, .NET, .ORG). Checking some of them in Google Chrome shows that they are already blacklisted for containing malware.

Web admins have plenty of work these days

Drupal made a public service announcement on Wednesday, seeding panic among website administrators by saying that all websites that have not been updated within seven hours after the release of the patch for the code injection security slip-up (CVE-2014-3704) should be assumed compromised.

Sounding the alarm was not unfounded, though, because multiple companies offering security solutions for websites recorded a massive wave of attacks the day of the disclosure, October 15.

One recommendation from Drupal developers for administrators who did not hurry to apply the patch is to rebuild the site from scratch, since a compromised asset remains under the control of the unauthorized third-parties even if the latest Drupal update is applied.

In the more optimistic scenario where a backup made before October 15 is available, the maintainers of the CMS advise taking the website offline, restoring the backup and patching Drupal before releasing the site online again.

Trying to remove backdoors planted by the attackers is not recommended because the operation has low chances of rendering the website completely clean.