Security researchers from Imperva (opens in new tab) have tracked and analyzed a highly sophisticated botnet which they believe to be responsible for infecting hundreds of thousands of websites by attacking their content management system (CMS (opens in new tab)) platforms.
The botnet, named KashmirBlack, has been in operation since November of last year and while it started out small, it has now evolved into a sophisticated operation capable of attacking thousands of sites each day.
In its two part blog series titled “CrimeOps of the KashmirBlack Botnet (opens in new tab)”, Imperva's researchers explained that the botnet's main purpose is to infect websites in order to use their servers to mine cryptocurrency (opens in new tab), redirect legitimate web traffic to spam pages and show web defacements.
- We've put together a list of the best website builder (opens in new tab) software around
- These are the best web hosting (opens in new tab) services for your website
- Also check out our roundup of the best WordPress hosting (opens in new tab) providers
The operators of KashmirBlack target known vulnerabilities to take over sites running a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager.
Imperva's Ofir Shaty and Sarit Yerushalmi provided further insight on KashmirBlack's capabilities in a blog post (opens in new tab), saying:
“The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world. It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”
In order to expand the size of its botnet, KashmirBlack scans the internet searching for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities (opens in new tab) to infect both the vulnerable site and its underlying server.
Since its creation in November of last year, the botnet has abused 16 vulnerabilities in Joomla!, Magento, Yeager, WordPress, vBulletin and other CMS software according to Imperva. However, the security firm's researchers believe a hacker, who goes by the handle Exect1337 and is a member of the Indonesian hacking group PhantomGhost, is the person behind KashmirBlack.
- We've also highlighted the best CMS (opens in new tab)
Via ZDNet (opens in new tab)