Imperva said the attack began on February 23, three days after the Drupal fixed the CVE-2019-6340 vulnerability, and two days after the PoC vulnerability code was available on different sites. Imperva said that the hundreds of attacks it detected were based on the PoC exploit development, which again proved that the release of PoC code primarily helped the attacker, not the site owner.
Attacks that exploit vulnerabilities to implant miners are not the first to appear. The Drupal Content Management System received two patches for Drupalgeddon 2 (CVE-2018-7600) and Drupalgeddon 3 (CVE-2018-7602) last year. Similar to last week’s incident, security researchers who analyzed the two vulnerabilities last year also released PoC code, which attackers used to launch attacks within a few days.