Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2014
04:25 PM
50%
50%

Drupal: Attacks Started Within Hours Of Patch Release

If you didn't patch your site quickly, you should assume it was compromised, Drupal says.

Users of the Drupal content management system platform got a rude awakening this week: According to Drupal, automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 -- Drupal core -- SQL injection. And here's the kicker –- users should proceed with the assumption that every Drupal 7 website was compromised unless it was updated before 11:00 p.m. UTC on Oct. 15.

The vulnerability in question is a bug in a database abstraction API that allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests, this can lead to privilege escalation, arbitrary PHP execution, or other attacks as well, according to Drupal.

Not long after a security advisory was posted Oct. 15, multiple attacks were reported in the wild.

"As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers (similar to Google bots) start searching for vulnerable websites," says High-Tech Bridge CEO Ilia Kolochenko, in a statement.

Once a victim is identified, their website gets hacked, patched (to prevent competition from overtaking the same site), and backdoored, he says. Within several days, access to the compromised website will be sold on the black market, more than likely to different customers who may each resell it several more times, he adds.

The announcement by Drupal fits into a larger trend of security challenges facing content management systems (CMS). Such systems are juicy targets for cyber criminals because they can create a more efficient way for hackers to launch automated, large-scale attacks. Earlier this month, Imperva noted in a report that websites running WordPress were attacked 24% more than sites running on all other CMS platforms combined.

"Content management systems are on the front lines, getting assaulted via brute force attacks and other hack attempts on a daily basis," says Jerome Segura, senior security researcher at Malwarebytes, in a statement. "While the problem with site compromises often revolves around poor security practices from the owners themselves, this latest case where a vulnerability in Drupal was exploited only a few hours after it was announced is very alarming."

"The best defense in this arms race is about protecting your properties in various ways that complement each other," he continues. "While patching is important, there are other methods to defend against such attacks, for example by hardening your website against SQL injections, brute force attacks, and also by deploying a Web application firewall which can detect malicious behavior and stop them before they reach your internal applications."

Drupal notes in its advisory that updating to the latest version (7.32) patches the vulnerability but does not fix an already compromised website.

"If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised -- some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site," according to the advisory.

The Drupal security team also recommends site owners consult with their hosting provider. If they did not patch Drupal or otherwise block the SQL injection attacks within hours of the Oct. 15 announcement, site owners should restore their site to a backup from before that date.

Many people simply don't realize their website is a very attractive target for hackers, says Kolochenko.

"Obviously, hackers don't aim to hack their particular website, they just need to hack as many as they can to steal visitor's traffic and to infect visitors with malware that turns their PCs into bots to perform DDoS attacks or send spam," he says. 

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
11/3/2014 | 2:19:08 PM
No Surprises Here - Time to Change the Game
The cyber criminal toolkts are getting more flexible and advanced, as are the scripting skills in languages like Python, thus making the jump from published exploit to application of it much faster.  As quickly as the vulnerability is released and the site compromised, it is pushed to anonymous sales boards and admin/root accounts are sold/resold.  The surprises here are actually that 1) more ownership for secure coding/testing/end-user fixes isn't applied to projects like Drupal and other CMS, let alone FOSS (free and open source software) in general, and 2) that the international community isn't applying more pressure to cyber criminals by thoroughly destroying the infrastructure that allows such blackmarket shops to easily pop up and profit from these crimes.

Go to Packet Storm Security and drop in Drupal or WordPress.  Every exploit database out there is full of examples of the myriad ways in which vulnerabilities in LAMP (Linux Apache MySQL PHP) and variations on that platform can be exploited.  Proprietary software isn't necessarily more secure, but what makes code more secure is accountability.  Here I go again with an incredibly unpopular viewpoint, but if the Internet was better regulated, there would be standards and audits applied to code released to the Internet that could help (not solve) maintain a more secure code base for applications that can cause serious damage when compromised.  These activities are threats to our National security, make no mistake, and the buyers in these underground markets could have more in mind than simply obtaining a springboard to tag other sites, or steal a few hundred dollars in digital goods. 

This is just another vulnerability, but a good example of how cyber criminals are improving their "time to blackmarket" with our stolen digital goods.  The question is, whose buying these goods and how long before their intentions move from theft to acts of terror?   
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 5:38:01 PM
That was fast....
I find it amazing the speed at which criminals can operate today, truly astounding.  Did Drupal release any information to customers so they can detect backdoors on their systems?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.