Attackers Exploit Drupal VulnerabilityAssume You've Been Hacked, Security Team Warns Users
A mass, automated attack has potentially compromised a vulnerability that exists in the majority of all websites that run the popular Drupal content management system.
More than 1 million websites use Drupal. The risk now, security experts say, is that attackers have likely already exploited hundreds of thousands of sites that still have the Drupal flaw, which allows attackers to inject SQL code into a site and seize control of it. Attackers can then use the site to target website visitors with drive-by malware attacks, as well as to relay spam and launch distributed-denial-of-service attacks.
In a public service announcement about the Drupal vulnerability, the team behind the open source software warns of the "highly critical" security risk facing all users of Drupal version 7, unless they updated their systems within seven hours of a recent security update being released. The security update was released Oct. 15.
"Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement," warns the Drupal security team's alert. "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC - that is, 7 hours after the announcement."
Drupal further warns website administrators that if they didn't apply the patch - but somehow find themselves running the patched version - that means attackers have compromised the machine and installed the update themselves. By doing so, attackers can give themselves backdoor access to the system and block rival attackers from doing the same.
Many security experts have lauded the Drupal team for not attempting to downplay the threat. "This is an alarmingly candid, highly critical warning on Drupal security," says software architect Troy Hunt.
"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC"ï¿½ Troy Hunt (@troyhunt) October 30, 2014
Automated AttacksDrupal is used by a number of big-name sites, ranging from AOL - for its corporate intranet - and the Economist to Sony Music and Harvard University. As of Oct. 19, Drupal reports, its CMS was being used by more than 1 million sites, nearly all of which are running version 7. But only about one-fifth of those installations had been upgraded to a patched version.
"If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site," says Drupal's security team. Or hackers may have covered their tracks. "Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack," the team says.
Any site that's using a Web application firewall - or "virtual patching" - should also assume that it's been compromised. "It is not recommended to solely rely on WAF rules to protect your site against this SQL Injection vulnerability," Drupal says. "We're not aware of any WAF rule that can detect 100 percent of the attacks and avoid any false positives due to the nature of Drupal's module ecosystem. ... No mitigation will offer as good a fix as upgrading your site to Drupal 7.32."
Hackers Sell Access
"As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers - similar to Google bots - start searching for vulnerable websites," says Ilia Kolochenko, CEO of Geneva, Switzerland-based information security services firm High-Tech Bridge. "Once a victim is identified, their website gets hacked, patched - to prevent 'competition' [from compromising] the same site - and backdoored. Within several days, access to the compromised website will be sold on the black market, more than likely to several different customers at the same time who each may well resell it several more times."
Kolochenko says criminals may purchase access to the compromised sites to give them attack launch pads. That might include attempting to infect all visitors to the site with malware that adds their PCs to a botnet that can be used to send spam, launch attacks, and engage in click fraud. Attackers might also install backdoors on the servers and use them to relay spam or launch high-bandwidth DDoS attacks.
"Compromised servers are a commodity and access to them has been sold as a service for some time," software architect Hunt says. "Keep in mind also that Drupal covers a huge spectrum of sites with all sorts of data that's highly attractive to attackers. Many of them will have financial data or sensitive personal data that either poses a direct benefit to the attacker or can be traded online."
"The only limitation here is the imagination of the hacker," Kolochenko says.
For any Drupal installation that wasn't updated within seven hours of the Oct. 15 patch release, Drupal has recommended a number of mitigation steps, including taking the Drupal website offline and replacing it with a static HTML page.
Whenever possible, Drupal recommends obtaining a new, fully updated server, and then restoring a pre-Oct. 15 Drupal backup of user data to that server. "Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with," Drupal says.