Nearly six months have passed since a major Drupal SQL injection vulnerability was disclosed, and yet attackers are continuing to try, sometimes successfully, to exploit websites that have failed to update their systems.
Trustwave analyzed one such exploitation in a Friday blog post that, more than anything, stresses the importance of keeping up with patching, said Ryan Barnett, senior lead security researcher at Trustwave, in an interview with SCMagazine.com.
The particular attack originated in California, and began with the attacker exploiting the vulnerability to create a new admin account. After gaining access to the site's Drupal system with administrative credentials, the attacker pivoted locations by switching up IP address to one based in Morocco.
At this point, the attack could have been thwarted by defining Restricted GeoLocations (Country Codes) in a Web Application Firewall for locations that are frequently hotbeds of fraudulent activity, or for countries with which business usually isn't conducted, Barnett noted in the post.
In this case, that didn't happen; the attacker was able to fully log in and initiate multiple PHP files to create backdoors into the system, in case access was ever lost.
Ultimately, the attacker used this successful exploitation to deface the affected website, but the damage could have been far worse, Barnett warned.
“The top things we see when a web server is compromised is having [the server] join a botnet, which is used to do distributed denial-of-service (DDoS) attacks,” he said. “They [the attackers] also are able to distribute malware. If they run a legitimate site they can put in malicious link.”
If a compromised site is involved in ecommerce the attacker could also modify the check-out process to get payment information, he said.
“At this level of access, they can do whatever they want,” he said.
The amount of damage done really depends on how long attackers are able to roam freely through the Drupal system, Barnett said. This entire attack took only 18 minutes.
“You can't look at [the systems] at night and say, ‘I'll check in the morning,'” he said. “If you are compromised, the quicker you can contain it the better.”