A botnet that exploits multiple years-old flaws in popular content management systems (CMS) is behind millions of attacks per day, including mining for cryptocurrency, redirecting website traffic to spam sites, and defacing websites, security researchers said.
The KashmirBlack botnet targets systems running CMS software that is out of date, or inner components and libraries hat haven’t been updated, security researchers from Imperva said. The botnet has exploits for 16 different vulnerabilities in popular CMS software, including a ten-year old PHPUnit remote code execution vulnerability (CVE-2017-9841), a remote code execution flaw in older versions of the WordPress install.php file, a remote file upload vulnerability in Joomla, a remote code execution flaw in widely used forum software vBulletin (CVE-2019-16759)and a local file inclusion flaw in ecommerce tool Magento (CVE-2015-2067). The large arsenal of exploits allows KashmirBlack to infect the site and server, maintain persistence, and carry out its attacks.
CMS are “notorious for poor cyber hygiene, as many people use old versions, unsupported plug-ins, and weak passwords,” Imperva said, who provided a detailed list of exploits and targeted scripts.
The infrastructure of KashmirBlack consists of a single command-and-control server and 60 additional servers (which acts as innocent surrogates). The compromised machines receive instructions about new targets from the command-and-control server and performs brute-force attacks and installs backdoors on those targets to grow the botnet. KashmirBlack operators were able to grow the botnet to hundreds of millions of infected machines across 30 countries by targeting widely used CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.
The botnet is behind millions of attacks per day. The botnet uses the XMRig miner to mine Monero coins to a remote wallet on a HashVault pool, Imperva said. The researchers estimate that there were about 80 infected victim hosts in the mining operation, which started end of March. Imperva observed that some bots were used to redirect site traffic to clickbait sites. The operators also used the botnet to deface websites, and Imperva researchers found clues linking the defacing to a member of the Indonesian cybercrime group “PhantomGhost.”
The group developing KashmirBlack seems to more professional than the average botnet gang, as it appears to use software development frameworks and methodologies such as DevOps and Agile to quickly update instructions and add new payloads. The operators used to store malicious code and scripts in GitHub repositories, and recently switched to using Dropbox, Imperva said. The use of these software development proactices means operators can update and evolve its infrastructure quickly and effortlessly, making it more resilient to outside threats.
Imperva researchers started analyzing KashmirBlack when one of the systems in Imperva’s honeypot was infected. Just three days later, the botnet operators, perhaps suspecting something was not quite right with the honeypot, the botnet updated its reporting address and blocked the researchers from being able to see any more of the operation.
“It has a well-designed infrastructure that can expand and add new exploits or payloads without much effort,” according to Imperva.