Late last year, Drupal had announced a highly critical security advisory to update Drupal7 sites after automated attacks began compromising the sites. Last week researchers from Trustwave analyzed that websites are still being attacked after nearly six months and in some cases successfully exploited unless updated.
What was the security alert?
Drupal had warned its users in Oct 2014 of an SQL injection vulnerability that could have left thousands of websites adversely affected unless they applied an update or a patch to the Drupal 7 websites.
But the shocking advisory warned the administrators that if the update was not applied within a seven hour window, they should assume that their website was compromised and will need system updation and damage control.
Analysis of a Real World Drupal SQL Injection Vulnerability Attack
Trustwave’s SpiderLabs posted an overview of one such attack in their blog post that emphasizes the importance of patching and how their Web Application Firewall offering could help.
The real world attack analyzed originated in California and began by adding a new “admin” account, which is the vulnerability injection point. This exploits the flaws in the SQL API used by Drupal 7, which ironically, was designed to prevent SQL injection attacks.
At this point an admin account with a preset password is created and gains full control over the Drupal system. Then the exploit pivoted to use an IP address based in Morocco. Next with the admin control the attacker started uploading PHP files to the hacked system to abuse its functionality and create backdoors for later use. Eventually, it used this successful exploitation to deface the affected website.
The complete attack right from exploitation, to infection and defacement, took less than twenty minutes. The amount of harm in an attack depends on the amount of time the hacked system is under the control of the attacker.
How to determine if a system is compromised and prevent it?
Any malicious activity will leave behind traces indicating a compromise of the system. These traces are referred as Indicators of Compromise (IOCs). Monitoring systems like Trustwave Web Application Firewall (WAF) watch for these IOCs and respond accordingly to minimize the potential impact of the attack. But unless WAF is tuned and has blocking enabled, it will not serve any purpose to the organization.
At each step of the attack, IOC and their corresponding alerts were generated by WAF. But since WAF was configured to be on monitoring mode only, it did not attempt to block it.
The main takeaways from presenting this scenario was that firstly any organization can easily protect its site from exploitation if its Drupal software is up to date with the latest patch urged by Drupal in its announcement. Secondly, WAF can help your site by not only detecting but also responding, if it is configured in blocking mode rather than just monitoring mode. And lastly, but most importantly one should constantly monitor their web applications despite all security softwares installations.