Drupal: Attacks Started Within Hours Of Patch Release

Users of the Drupal content management system platform got a rude awakening this week: According to Drupal, automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 -- Drupal core -- SQL injection. And here's the kicker –- users should proceed with the assumption that every Drupal 7 website was compromised unless it was updated before 11:00 p.m. UTC on Oct. 15.

The vulnerability in question is a bug in a database abstraction API that allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests, this can lead to privilege escalation, arbitrary PHP execution, or other attacks as well, according to Drupal.

Not long after a security advisory was posted Oct. 15, multiple attacks were reported in the wild.

"As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers (similar to Google bots) start searching for vulnerable websites," says High-Tech Bridge CEO Ilia Kolochenko, in a statement.

Once a victim is identified, their website gets hacked, patched (to prevent competition from overtaking the same site), and backdoored, he says. Within several days, access to the compromised website will be sold on the black market, more than likely to different customers who may each resell it several more times, he adds.

The announcement by Drupal fits into a larger trend of security challenges facing content management systems (CMS). Such systems are juicy targets for cyber criminals because they can create a more efficient way for hackers to launch automated, large-scale attacks. Earlier this month, Imperva noted in a report that websites running WordPress were attacked 24% more than sites running on all other CMS platforms combined.

"Content management systems are on the front lines, getting assaulted via brute force attacks and other hack attempts on a daily basis," says Jerome Segura, senior security researcher at Malwarebytes, in a statement. "While the problem with site compromises often revolves around poor security practices from the owners themselves, this latest case where a vulnerability in Drupal was exploited only a few hours after it was announced is very alarming."

"The best defense in this arms race is about protecting your properties in various ways that complement each other," he continues. "While patching is important, there are other methods to defend against such attacks, for example by hardening your website against SQL injections, brute force attacks, and also by deploying a Web application firewall which can detect malicious behavior and stop them before they reach your internal applications."

Drupal notes in its advisory that updating to the latest version (7.32) patches the vulnerability but does not fix an already compromised website.

"If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised -- some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site," according to the advisory.

The Drupal security team also recommends site owners consult with their hosting provider. If they did not patch Drupal or otherwise block the SQL injection attacks within hours of the Oct. 15 announcement, site owners should restore their site to a backup from before that date.

Many people simply don't realize their website is a very attractive target for hackers, says Kolochenko.

"Obviously, hackers don't aim to hack their particular website, they just need to hack as many as they can to steal visitor's traffic and to infect visitors with malware that turns their PCs into bots to perform DDoS attacks or send spam," he says.