Drupal websites have recently seen several highly critical security updates and patches that affect versions 6, 7, and 8. Unless you patched your site quickly after these were released in March & April, it’s extremely likely you’re website has already been compromised.
Here’s what you need to know now: Key Weaknesses
Jasper Mattson (Jasu_M) of Druid uncovered the first which impacts more than 1 million websites worldwide including major brands. Even news sites are doing their best to get the word out about the active exploits, number of big-name sites that are no longer safe, and the unique exploits of Drupalgeddon2 that are being seen in the wild.
Hackers use this vulnerability to infect servers and take complete control of sites. Once in, hackers can install backdoors, deface websites, deliver malicious payloads to your visitors, and steal information remotely.
These backdoors are a hidden way for these hackers to log in or gain access. These backdoors can exist anywhere in the websites code or database. Hackers may also create other user accounts or pretend to the administrator. Think of it like this: A thief finds your key and makes a working copy of it. Now he can come and go as he pleases. A backdoor gives the hacker now an imperceptible way to gain access. It’s nearly impossible to undo it or find the backdoor (a true needle in a haystack). The only way to be completely sure the website is clean is to restore a clean backup of your website's files and database.
All Drupal CMS Versions Vulnerable
According to Drupal Security Advisories, SA-CORE-2018-001 was released March 28, and is a critical issue with multiple vulnerabilities that requires 8.3.x sites to update to the 8.3 release. Then get the 8.5.x security release. Drupal 8.4.x sites need the 8.4.x release and the 8.5.x security release. Drupal sites on 7.x or 8.5.x also needed to update immediately.
SA-CORE-2018-002 was a highly critical remote code execution vulnerability on Drupal 6, 7.x and 8.x. This can completely compromise a site. Developers have dubbed it Drupalgeddon 2. It now has a 24/25 security risk score.
With security updates with this high of security criticality, it’s important to apply the provided patch or immediately update to the most recent version of Drupal core, or the website could be comprimised within a matter of hours.
Looming Business Consequences
If you have a government, news publishing, e-commerce, small business, resource directory, education, art, music, multi-media, social networking or conference website (yes that covers almost any website) that runs on Drupal, you need to act now.
Loss of Secure Information
Wondering what happens if you don’t? In addition to unfettered access to your information, hackers can add a script to steal it. Once data is stolen there’s no way to get it back. Remember you may see no trace of the Drupalgeddon2 attack.
The longer you wait the more you lose. Responsible disclosure also means that if your site is an ecommerce store or membership site, you’ll need to notify customers that their information could have been stolen.
As of Friday, April 20, 2018 hackers likely have already copied data from your site if you hadn't yet updated/patched. This information may be used maliciously.
Even if your website doesn't house secure information, your site could also be defaced without you noticing it. This would negatively impacts your SEO because Google gives a penalty for hacked sites. Your site may be defaced with things like nonsense, porn advertisements, and SPAM links. This can not only harm your website's stance in search engine result pages, but deteriorate the reputability of your business and brand amongst your visitors.
Harm to your visitors
The website could also be utilized to deliver malicious payloads to your visitors such as a download with a virus, spyware, malware, or ransomware.
Malicious cryptocurrency mining
The website could be used as a means to make others money. Reports began as early as Thursday, April 12 that botnets are exploiting the Drupal vulnerabilities and attackers are infecting servers with backdoor scripts and cryptocurrency-mining malware.
Since Friday, April 13, a Washington, D.C.-based cybersecurity solutions team at Volexity witnessed thousands of scan and exploitation attempts where attackers exploited the flaw to install malware.
According to Imperva, most attacks come from the United States and China and reports 2% are crypto miner attempts, 3% are backdoor infection attempts, and 90% are scanners.
What do I do if my Drupal website isn't up-to-date or has been hacked?
If your site hasn't been updated or patched, you must clean and update / patch against these vulnerabilities as soon as possible.
Contact Us and we'll be happy to advise you on the best options moving forward and can help restore backups if you have them. If not, the team will rebuild a site for you with a clean install.
Prevention is key
Looking ahead, the best thing you can do to prevent your site from being comprimised is to ensure you're regularly installing Drupal core & module security updates/patches as well as aware of and ready to act on any highly critical vulnerabilities that need urgent fixes. At schweb, we provide regular security updates for clients as well as follow Drupal's security advisories and immediately act on any highly critical updates like these for you.
Additionally, ensure you have regular backups of your website's files and database, so in the even you are hacked you don't have to manually rebuild your website, but can restore a clean backup.