Millions of websites could have been infiltrated by hackers after an SQL injection vulnerability in Drupal software used to host web content was exploited within seven hours of a patch being released.
Drupal issued a patch for the vulnerability on 15 October and urged companies to roll it out. The firm said it has seen a stampede from cyber crooks attempting to infiltrate websites that had not applied the fix.
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement,” Drupal said on its website.
“Multiple exploits have been reported in the wild following the release of this security advisory. If you did not update your site within seven hours of the bug being announced, we consider it likely your site was already compromised."
Drupal also warned that attackers could have infiltrated systems and made off with data without anyone knowing.
"Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack," the firm said.
Sites that update the patch now are not safe either. If the attackers accessed the system before the patch was installed they will still be inside.
"Updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website," Drupal said.
Further exacerbating this situation is the fact that the attackers may apply the patch once inside a company's network in order to trick IT teams into thinking nothing is wrong.
"If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site," Drupal said.
Gavin Millard, European technical director at Tenable Network Security, criticised Drupal for its approach to the security disclosure, claiming that information about the incident was not released in a sensible way.
“The issues highlighted by the Drupal team could have been reduced if responsible disclosure followed,” he said.
“Announcing a fundamental flaw in the code to everyone without giving much runway to the users of Drupal to proactively patch, gives ample time for attackers to weaponise the flaw and exfiltrate data or manipulate the systems for later exploitation.”
However, Chris McIntosh, CEO at ViaSat UK, said the incident underlines the need for constant vigilance among security teams.
“Some might be outraged that Drupal has said that users should assume that they have been compromised if they haven’t applied the patch, but this needs to be the default position for any cyber security strategy," he said.
"If organisations are to have any hope of mitigating the risk that is escalating by the day they need to work backwards from this assumption, for instance confirming that each point on the network is still intact and can be trusted and that any sensitive data such as customer financials has been encrypted."
We sacrificed our weekend to try out the new Vikendi map coming to PUBG - and rather liked it
12 of the 32 stars observed feature rings and gaps that are usually carved by planets in the process of formation
The experiment is currently underway at South Korea's Yangyang Underground Laboratory
Exoplanet HAT-P-11b is located about 124 light years from Earth