14 DAY TRIAL // All websites running version 7 of Drupal CMS (content management system) that have not been updated to build 7.32 shortly after the disclosure of a highly critical SQL vulnerability on October 15 should be considered hacked, a security advisory from Drupal alerts.
Administrators of Drupal websites should have been on high alert at the middle of the month and should apply the patch released by the CMS developers in a new version of the product.
Quick update adopters have nothing to worry
The security glitch, tracked as CVE-2014-3704, allows a potential attacker to execute arbitrary commands remotely without authentication, by sending specially crafted SQL requests, which can lead to complete compromise of the website; the issue is extremely serious because there may be no trace of the incident.
Ironically, the exploit leverages an API designed to sanitize SQL queries and prevent this type of incident.
Drupal developers issued a public service announcement on Wednesday, informing that automated attacks taking advantage of this flaw were recorded just hours after the public disclosure.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the advisory says.
Statistics show that more than 400,000 websites run on Drupal. According to data published by w3techs on October 30, 1.9% of all the websites online rely on Drupal, and 1.3% of them run version 7 of the CMS; of these, only 8.2% are updated to build 7.32.
Applying the update does not ensure integrity of the website
Because of its low complexity, the glitch is considered highly critical and multiple security companies announced at the time that some of their clients had been compromised.
Sucuri detected incidents in the wild taking advantage of the weakness about eight hours after the public disclosure.
Volexity observed wide spread scanning of websites that could be taken over, even on those running a different CMS product. The company also noticed activity from IP addresses associated with APT groups.
Proof-of-concept code soon emerged in the public space, allowing an even easier deployment of an attack.
Drupal says that a compromised website updating to the latest build of the CMS is not off the hook and backdoors still remain on the site. Patching does not remove any of the malicious files already uploaded by the cybercriminals, it just closes the bug that allowed the attack.
It appears that in some cases the cybercriminals would apply the patch themselves, after having gained control of the website; the reason behind this would be to keep other bad actors from achieving administrative privileges on the asset.
On the same note, crooks know that hosting providers often take the responsibility of updating the website software themselves. Patching the site after taking control increases the chances of the compromise passing unnoticed.
Starting from scratch or restoring safe copy is recommended
Cleaning the websites of all the backdoors that may have been planted by the bad actors is a highly difficult task and does not guarantee that all access point elements are found. This is why the Drupal security team recommends either rebuilding from scratch or restoring a backup of the site taken before October 15, the day the vulnerability was disclosed.
The Drupal security team recommends taking offline the potentially affected website and alerting the server administrator of the potential risk to other assets hosted there.
Restoring a backup copy of the website, applying the latest patch and putting the site back online are the next steps to take.
Everything imported from the potentially hacked site (code, files) should be closely verified to make sure that no backdoors are passed to the safe configuration.