This year was a banner year for content management system (CMS) hacking. All the big names, including WordPress, Drupal and Joomla, were targeted in 2014, resulting in thousands of breaches that opened back doors, uploaded Trojans and created large-scale botnets for denial-of-service attacks. The following are the big-number takeaways from these CMS vulnerabilities:

Why CMS Hacking?

While it’s tempting to relegate CMS as “also-rans” in the world of security breaches, there is real risk when content management platforms are hacked. High-profile breaches such as Target and Home Depot garnered attention due to the Backoff malware, and rightly — many retailers use point-of-sale systems that aren’t properly secured. As noted by Web Technology Surveys, however, 75 percent of websites using a CMS are powered by popular platforms such as WordPress, Joomla and Drupal, all of which are built on open-source code, are free to use and are largely maintained by a passionate community of users. In other words, this is a huge market for cybercriminals — and since almost every bit of code they need to break down CMS walls is publicly available, it’s no surprise that they are popular targets. But how bad was 2014, really?

WordPress Hacks

In July, a flaw in MailPoet Newsletters allowed attackers to upload arbitrary PHP files to Web servers and take control of WordPress-based websites, according to PCWorld. The hack was used to compromise at least 50,000 websites, and while a newer version of the plugin fixed the problem, many users were unaware of any issues until it was too late.

“The back door is very nasty and creates an admin user called 1001001,” said security researchers from Sucuri, noting that it “also injects a backdoor code to all theme/core files.”

On Nov. 20, the official WordPress site announced that any versions earlier than 3.9.2 required a patch to deal with cross-site scripting vulnerabilities. Almost 86 percent of the 75 million sites running WordPress were vulnerable, and although the CMS provider said there is no evidence any websites were compromised, it’s a hard pill to swallow considering that just a month earlier, 800,000 banking credentials were stolen using hacked WordPress sites, according to Data Breach Today.

Drupal Bugs

CMS Drupal, meanwhile, was hit by a bug in October, according to BBC. Twelve million websites were put at risk, and Drupal staff issued a prepared statement warning that if users didn’t take action within seven hours after the bug was discovered on Oct. 15, they should consider themselves compromised. Left unchecked, the bug allowed malicious users to create back doors and take control of websites.

According to Mark Stockley of security firm Sophos, Drupal should not rely on users to patch their own system after these types of CMS hacking.

“What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default,” he said.

Joomla Vulnerabilities

According to CSO Online, Joomla also came under fire this year when popular e-commerce plugin VirtueMart was hacked. More than 3.5 million websites use VirtueMart. When the plugin was compromised, malicious actors gained “super-admin” privileges. Anyone using versions prior to 2.6.10 were at risk, and for some companies, this meant going through the code line by line looking for problems, since they had large orders or other projects already in progress and plugin developers weren’t forthcoming with the exact code location.

All of the Above

More recently, SiliconANGLE reported that WordPress, Drupal and Joomla were equally vulnerable to a new packaged back door, CryptoPHP. Once installed, CryptoPHP could enable public key encryption for communication between a compromised server and a command-and-control (C&C) server, create manual back doors, remotely update the list of compromised servers and prevent takedowns of C&C servers via email communication.

The takeaway from all this CMS hacking is that common platforms are ideal targets for malicious actors, especially when they’re provided for free and don’t offer the same kind of security as for-pay software. The numbers don’t lie — it was a banner year for CMS hacks, and companies should be ready for even more in 2015.

Image Source: Flickr

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read