Security Alerts & News
by Tymoteusz A. Góral

History
#812 Crooks used SQL injections to hack Drupal sites and install fake ransomware
Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files.

The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read:

“ Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content. ”

Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files.

The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the admin user's password.

CVE-2014-3704 is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.
Read more
#818 This sneaky botnet shows why you shouldn't use the same password for everything
#817 SWIFT network doubles down on security
#816 Google plans to bring password-free logins to Android apps by year-end
#815 Persistent EITest malware campaign jumps from Angler to Neutrino
#814 Two exploit kits spreading attacks for recent Flash Player zero day
#813 Windows 10 problem? Now everyone can gripe to Microsoft via Feedback Hub
#812 Crooks used SQL injections to hack Drupal sites and install fake ransomware
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12