The operators of the KashmirBlack botnet have hacked hundreds of thousands of websites running popular content-management systems (CMS) WordPress, Joomla, Magento and Drupal. This is reported by Imperva specialists.
The botnet exploits dozens of known CMS vulnerabilities and carries out millions of attacks per day.
“Typically, site administrators do not promptly install updates for CMSs, so they can be hacked via known vulnerabilities. This vector yields high attack efficiency for rapid botnet growth,” notes Imperva analyst Ofir Shati.
Source: imperva.com
A single malware-infected site is capable of attacking 240 hosts or 3,450 sites daily. Over the past 11 months, 285 botnet nodes identified by researchers, even with minimal success rates, compromised about 230,000 sites.
KashmirBlack operators use legitimate cloud storage services—Dropbox and GitHub—to store code updates. To speed up response, the botnet infrastructure includes load balancing when connecting to command-and-control servers.
“The botnet can easily masquerade as legitimate traffic. Services do not detect it because the bot merely stores files. There is no malicious functionality,” explain the experts.
Most servers are involved in cryptocurrency mining and spam distribution, but in some cases the botnet is used for defacement—site page substitutions.
According to a single defacement signature, researchers traced the botnet operator’s identity, hacker Exect1337, who is a member of the Indonesian hacking group PhantomGhost.
Earlier experts warned of increased activity by the Lemon Duck botnet for Monero mining.
Subscribe to ForkLog news on Telegram: ForkLog Feed — full news feed, ForkLog — the most important news and polls.