Massively Critical Drupal Bug Exploited in-the-Wild
Researcher Daniel Sid of Sucuri says he’s started observing in-the-wild exploitations of a highly critical, remote code execution-enabling Drupal vulnerability (CVE-2018-7600)—dubbed Drupalgeddon 2—on April 12. The vulnerability affected unpatched versions of 6, 7, and 8, accounting for roughly 9 percent of all installs. Drupal fixed the bug on March 28, but researchers have since posted working proofs-of-concept, spurring Drupal to warn that “Sites not patched by Wednesday, 2018-04-11 may be compromised.” Drupal goes on to note that it is possible that sites became compromised before this day and that simply installing the update will not mitigate an already-compromised website. A remote attacker can exploit the vulnerability merely by compelling his victim to visit a maliciously crafted website, thereby taking complete control of the affected site. In addition to enabling a full compromise of affected sites, an attacker could exploit this vulnerability to steal or even manipulate or delete data on a vulnerable website. There is a patch available that fixes the vulnerability, but users can also update to the latest versions of Drupal: 7.58 or 8.5.1. Drupal also took the extraordinary measure of updating certain end-of-life Drupal builds, given the severity of the bug. As such, versions 8.3.9 and 8.4.6 have resolved the problem. Drupal versions 8.2.x and earlier and Drupal version 6 will not be patched. Administrators of affected sites will have to manually install these updates or patches. According to researchers with CheckPoint, the bug arose from “insufficient input sanitation on Form API (FAPI) AJAX requests.”
Study: Bank Apps Vulnerable to High Severity Bugs
In automated vulnerability assessments of an unknown number of unidentified online banking application, Positive Technologies says that 100 percent of banking Web apps contained at least one critical vulnerability. While Positive Technologies did not state what or how many apps it tested, it did note that financial institutions were disproportionately over-represented in its sample.
ViperRAT Found in Official Google Play Store
Researchers from mobile security firm Lookout claim to have identified two variants of the ViperRAT remote access trojan (RAT) masquerading as chat applications (“VokaChat” and “Chattak”) in the Google Play Store, a pair of apps that have been collectively downloaded more than 1000 times. Lookout notified Google of the issue, and the tech giant promptly removed the applications from its marketplace. Earlier variants of ViperRAT have been used to spy on member of the Israeli Defense Force. It remains unclear who is being targeted in these attacks.