On January 14, 2022, we were made aware that some Ukrainian government websites running on October CMS were targeted by hackers. The hackers replaced the website's home pages with a political message. The Ukrainian Ministry of Digital Transformation has announced that there was no data leak.
Based on the information available from the news, the hacker used a vulnerability that was known to October CMS maintainers and the community. The update (commit) fixing it was pushed on March 31, 2021, and the corresponding public build with the vulnerability removed was released on April 15, 2021.
Keeping software installations current is an essential measure in maintaining server security. We recommend the following steps to make sure your server stays secure:
- Keep server OS and system software up to date.
- Keep October CMS software up to date.
- Use a multi-factor authentication plugin.
- Change the default backend URL or block public access to the backend area.
- Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.
- Use a service like 1Pilot to monitor and update multiple instances remotely.
- Use a service like OpenCVE to track CVE updates and be alerted about new vulnerabilities.
One can never eliminate the risk of a hack altogether, but best practice dictates that you take all possible measures to minimize that risk.