FortiGuard Labs have observed ShadowSilk, an advanced persistent threat (APT) group, targeting vulnerabilities in Drupal and the ValvePress WP-Automatic WordPress plugin.

Drupal is a free, open-source content management system (CMS) used to build and manage dynamic websites and web applications.

ValvePress WP-Automatic is a WordPress plugin that automatically imports content from various sources (like RSS feeds, websites, social media, and APIs) and publishes it to your site.

ShadowSilk is an APT group that targets organizations across Central Asia and the Asia-Pacific region, with a particular focus on government entities. ShadowSilk operations are characterized by using publicly available exploits, penetration-testing frameworks, and infrastructure sourced from the dark web to facilitate large-scale data exfiltration campaigns.

ShadowSilk have used the following software vulnerabilities to target organizations:

CVE-2018-7600 is a remote code execution (RCE) vulnerability in Drupal which could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests.

The following versions of Drupal are vulnerable to CVE-2018-7600:

• Version < 7.58
• 8.00 ≤ Version < 8.39
• 8.40 ≤ Version < 8.46
• 8.50 ≤ Version < 8.51

CVE-2018-7602 is a remote code execution (RCE) vulnerability in Drupal which could allow an authenticated attacker to take control of affected website due to improper input validations.

The following versions of Drupal are vulnerable to CVE-2018-7602:

• 7.00 ≤ Version < 7.59
• 8.40 ≤ Version < 8.48
• 8.50 ≤ Version < 8.53

CVE-2024-27956 is a SQL injection vulnerability in ValvePress WP-Automatic WordPress plugin which could allow unauthenticated attackers to execute arbitrary SQL commands.

The following versions of ValvePress WP-Automatic WordPress plugin are vulnerable to CVE-2024-27956:

• 3.92.0 ≤ Version

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for "ShadowSilk Data Exfiltration Attack" related activities.

IOC source: https://www.fortiguard.com/outbreak-ioc?tag=ShadowSilk%20Data%20Exfiltration

All IOCs relating to "ShadowSilk Data Exfiltration Attack" have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2025494 -> ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)

2025534 -> ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)

2025646 -> ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)

2025533 -> ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/shadowsilk-data-exfiltration