If you’re running an outdated WordPress, Drupal or some other CMS, you are in high danger of hacking. What is worse is that Mossack Fonseca, the law firm associated with the Panama Papers breach, already became a victim in such a scenario. Other big companies are also prone to hacking, as revealed by a research conducted by US security vendor RiskIQ.
The firm decided to examine the situation with well-known companies running on CMS platforms via the FTSE-30. This is how they established who uses WordPress and Drupal, and who uses outdated versions of the platforms, too.
Outdated WordPress and Drupal Versions Favored by Attackers
CMS vulnerabilities are a common denominator of many of the successful attacks we read about. With the ubiquitous nature of CMSs in driving the web experience, potential risks lurk for virtually all organizations. According to W3 Techs’ Web Technology Surveys, 65 percent of all websites using a CMS use WordPress or Drupal, which use open-source code that’s available to all—including malicious actors looking for exposures to exploit. The size of the WordPress and Drupal communities compounds the problem, as almost every vulnerability is found and publicized, many of which threat actors exploit before the good guys can patch them.
Who Has Been Analyzed by RiskIQ?
Their investigation includes corporations like British American Tobacco, BP, British Gas, Vodafona, BAE systems, Royal Bank of Scotland, GlaxoSmithKline, Softpedia writes. The total number of big-company-websites being hosted on either WordPress or Drupal is 1609. Researchers were able to verify the CMS version of 773 of these websites, 307 running outdated WordPress and Drupal versions with known vulnerabilities (CVEs) within.
The results of RiskIQ’s research prove that companies have not learnt their lesson. Which means that the case with the Mossack Fonseca data incident will not be the last one. Attackers have long preferred to craft their attacks via vulnerable CMS websites. Running an outdated version of WordPress or Drupal literally invites criminals in your backyard. Even if attackers cannot gain full access on a targeted company’s entire network, they could still use the vulnerable CMS for future attacks or reconnaissance campaigns.
WordPress- and Drupal-related malware attacks that have taken place in the near past:
- SoakSoak Malware Targets WordPress Websites
- TeslaCrypt Spread Via Vulnerable WordPress Pages
- “Drupal” Ransomware Uses SQL Injection