© iStock, Drupal, Spiria.
Security researcher Troy Mursch has found that over 115,000 Drupal Web sites — including those of large universities, government organisations and media companies — are wide open to hacker takeovers because they haven’t installed critical security patches released 10 weeks ago. Another researcher, Jerôme Segura, indicated that many of these sites are already compromised and being used to surreptitiously mine cryptocurrencies or spread malware to unsuspecting visitors. Drupal is one of the most popular content management systems around, along with WordPress and Joomla. At the end of March 2018, Drupal was affected by a vulnerability allowing hackers to remotely execute their own code (CVE-2018-7600), which was followed by yet another vulnerability just a month later (CVE-2018-7602). The vulnerabilities, due to their severity and the ease in exploiting them, were quickly nicknamed Drupalgeddon 2 and 3, after a similar Drupal vulnerability in 2014. Regardless of the CMS used (since no system is perfectly secure), it is crucial to install security patches as soon as they come out, especially since the window between the announcement of a vulnerability and its exploitation by hackers can be extremely short. If you are not able to monitor announcements and install patches in a reasonable timeframe, you may want to delegate this task to a professional external service.
⇨ Malwarebytes Labs, “A look into Drupalgeddon’s client-side attacks.”
⇨ Ars Technica, “Three months later, a mass exploit of powerful Web servers continues.”