New CMS-Based Botnet Cyber Attack a Real Doozy

If there’s one thing those of us who do content and communications exclusively will know like the back our hands, it’s a CMS of one sort or another. If you don’t know what that abbreviation stands for, it’s Content Management System. Even if you’ve never used WordPress, you’ll almost certainly still have heard of it and it’s pretty much the original CMS and is the one most used by people all over the world. And that’s not just for blogs like this one.

Here at 4GoodHosting, our expertise is in web hosting in the same way it will be for any good Canadian web hosting provider, but any and all of us will also know how integral content is to SERPs and the like. That’s why the KashmirBlack botnet is such a newsmaker in the digital world today, and for good reason.

Now at this point you’re probably saying ‘what?’, and that’s to be expected given the exotic name given to this malicious little critter. Name aside, you may even be asking what exactly is a botnet? We can answer that. A botnet is a type of malicious attack where a series of connected computers are utilized to attack or promote failure of a network, network device, website or IT environment, and usually done with the intention to disrupt normal working operations or degrade the system’s service capacities.

Now with this new KashmirBlack botnet, we shouldn’t assume that it has originated in India, or that those who created it are huge fans of the classic Led Zeppelin song. Really it’s just a name. What is worth talking about, though, is what this and why it’s showing itself to be so problematic.

Mining, Malicious Redirects, and Defacing

So let’s get into what you might need to know about this if you’re the person behind a website, any website and one being utilized for whatever aims. Imperva is a web security research organization that’s fairly reputable and held in high regard in the digital community worldwide, and they’re the ones who have discovered and tracked the KashmirBlack botnet.

Their research has indicated that this botnet is responsible for infecting hundreds of thousands of websites, and does so by going after their content management system (CMS) platforms.

It’s believed this botnet has been in operation since November of last year. It wasn’t much more than a blip in the beginning, but since then it’s really grown and expanded its reach. The consensus is now that it has evolved into a sophisticated operation that has the capacity to attack thousands of sites every day.

How exactly it works, and why it does what it does, can be summarized this way; the botnet’s main purpose is to infect websites in order to use their servers for one or more of the following illicit aims:

  1. to mine cryptocurrency
  2. to redirect legitimate web traffic to spam pages
  3. display web defacements, including pictures of Vancouver sluts in action

Which then natural leads to the question of which CMS are most at risk. This botnet has already had success infiltrating a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager, and then targeting vulnerabilities within them that may be unique to one CMS in comparison to another.

Then, as you might guess, a ‘one-size-fits-all’ solution becomes less likely, as all these different CMS are configured and built differently, and have vulnerabilities that my be unique to them.

Vulnerability Finder

The KashmirBlack botnet mainly infects popular CMS platforms. It makes use of dozens of known vulnerabilities on its victims’ servers, and performs millions of attacks per day on average. Victims who’ve identified themselves as being victims of KashmirBlack are in more than 30 different countries around the world.

To explain more, it has a complex operation managed by one specific command and control server and uses in excess of 60 servers as part of its infrastructure. Hundreds of bots are handled and dispersed when opportunities are identified, with each one then communicating with the C&C to receive new targets, carry out force attacks, install backdoors, and expand the botnet’s size and capacities accordingly.

The size expansion part of it is done by expanding searches for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities to infect both the vulnerable site and its underlying server. And that’s happened some 16 different times in the last year, but it’s picking up speed and CMS like Joomla!, Magento, Yeager, WordPress, and vBulletin are most at risk, and particularly when working on outdated software.

This is really where you can identify yourself as a more likely potential victim if your CMS is operating on outdated software.

If there’s one thing those of us who do content and communications exclusively will know like the back our hands, it’s a CMS of one sort or another. If you don’t know what that abbreviation stands for, it’s Content Management System. Even if you’ve never used WordPress, you’ll almost certainly still have heard of it and it’s pretty much the original CMS and is the one most used by people all over the world. And that’s not just for blogs like this one.

Here at 4GoodHosting, our expertise is in web hosting in the same way it will be for any good Canadian web hosting provider, but any and all of us will also know how integral content is to SERPs and the like. That’s why the KashmirBlack botnet is such a newsmaker in the digital world today, and for good reason.

Now at this point you’re probably saying ‘what?’, and that’s to be expected given the exotic name given to this malicious little critter. Name aside, you may even be asking what exactly is a botnet? We can answer that. A botnet is a type of malicious attack where a series of connected computers are utilized to attack or promote failure of a network, network device, website or IT environment, and usually done with the intention to disrupt normal working operations or degrade the system’s service capacities.

Now with this new KashmirBlack botnet, we shouldn’t assume that it has originated in India, or that those who created it are huge fans of the classic Led Zeppelin song. Really it’s just a name. What is worth talking about, though, is what this and why it’s showing itself to be so problematic.

Mining, Malicious Redirects, and Defacing

So let’s get into what you might need to know about this if you’re the person behind a website, any website and one being utilized for whatever aims. Imperva is a web security research organization that’s fairly reputable and held in high regard in the digital community worldwide, and they’re the ones who have discovered and tracked the KashmirBlack botnet.

Their research has indicated that this botnet is responsible for infecting hundreds of thousands of websites, and does so by going after their content management system (CMS) platforms.

It’s believed this botnet has been in operation since November of last year. It wasn’t much more than a blip in the beginning, but since then it’s really grown and expanded its reach. The consensus is now that it has evolved into a sophisticated operation that has the capacity to attack thousands of sites every day.

How exactly it works, and why it does what it does, can be summarized this way; the botnet’s main purpose is to infect websites in order to use their servers for one or more of the following illicit aims:

  1. to mine cryptocurrency
  2. to redirect legitimate web traffic to spam pages
  3. display web defacements, including pictures of Vancouver sluts in action

Which then natural leads to the question of which CMS are most at risk. This botnet has already had success infiltrating a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager, and then targeting vulnerabilities within them that may be unique to one CMS in comparison to another.

Then, as you might guess, a ‘one-size-fits-all’ solution becomes less likely, as all these different CMS are configured and built differently, and have vulnerabilities that my be unique to them.

Vulnerability Finder

The KashmirBlack botnet mainly infects popular CMS platforms. It makes use of dozens of known vulnerabilities on its victims’ servers, and performs millions of attacks per day on average. Victims who’ve identified themselves as being victims of KashmirBlack are in more than 30 different countries around the world.

To explain more, it has a complex operation managed by one specific command and control server and uses in excess of 60 servers as part of its infrastructure. Hundreds of bots are handled and dispersed when opportunities are identified, with each one then communicating with the C&C to receive new targets, carry out force attacks, install backdoors, and expand the botnet’s size and capacities accordingly.

The size expansion part of it is done by expanding searches for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities to infect both the vulnerable site and its underlying server. And that’s happened some 16 different times in the last year, but it’s picking up speed and CMS like Joomla!, Magento, Yeager, WordPress, and vBulletin are most at risk, and particularly when working on outdated software.

This is really where you can identify yourself as a more likely potential victim if your CMS is operating on outdated software.

To conclude here today, FWIW it’s believed that an Indonesian hacking group ‘PhantomGhost’ is behind KashmirBlack.

Reasons You Should Be Wary of Elasticsearch Servers

If you’ve never heard of Elasticsearch, you can certainly be excused. Here at 4GoodHosting we’ve got some pretty smart cookies around, but as a whole we’re a Canadian web hosting provider who’ll never claim to be entirely full of digital wherewithal. Truth be told I hadn’t heard of it either until recently, but no one had ever suggested to me that I should give a second thought to whether or not I’ll trust it as base for searching online.

Right then, get right to the definition you say. Elasticsearch is an open source search and analytics engine and data store developed by Elastic. The appeal of it has always been in the way it allows for searching through huge amounts of data with reasonable timeframes, and running calculations with resultant data in the blink of an eye.

However, recent news indicates that there’s a potential downside to using Elasticsearch, and sharing what we know about that is going to be the subject of this week’s entry here.

Legit Associations

Elasticsearch has been all over the headlines – well, industry headlines at least – recently, and not in a good way. It seems like each new week brings along a new story about a breached Elasticsearch server resulting in troves of data being exposed. But why is this happening with Elasticsearch buckets as predominantly as it has been, and is it legit to associate Elasticsearch with an ever-present risk of this happening?

The question then further becomes can businesses leveraging this otherwise very-helpful technology do so to the full extent while still avoid data leaks?

Organizations have been using this platform en masse to store information in depositories (aka ‘buckets’), the contents of which then become emails, spreadsheets, social media posts, files and any and all matter of raw data in the form of text, numbers, or geospatial data.

The problem for Elastic is that now it’s beyond debate that their storage option is leaving massive amounts of date unprotected and potentially exposed online. Sometimes this leak is disastrous, and the number of high-profile breaches attributed to use of Elasticsearch continues to grow.

nvenient as this sounds, it can be disastrous when mass amounts of data are left unprotected and exposed online. Unfortunately for Elastic, this has resulted in many high-profile breaches involving well-known brands from a variety of industries.

Where There’s Smoke..

Just this year alone, there’s been a few doozies related to Elasticsearch. Cosmetics giant Avon had 19 million records leaked, and an online genealogy service called Family Tree Maker had over 25GB of sensitive data made available as a result of it. Sport giant Decathlon also got bitten, with 123 million records leaked.

During 2020 alone, cosmetics giant Avon had 19 million records leaked on an Elasticsearch database. Another misconfigured bucket involving Family Tree Maker, an online genealogy service, experienced over 25GB of sensitive data exposed. The same happened with sports giant, Decathlon, which saw 123 million records leaked. Despite more than few insistences from the people at Elastic, it’s clear that there’s a fundamental risk factor here and people should be made aware of it.

At Issue

Those who choose to use cloud-based databases must be aware of the inherent risks that come with that, as well as performing the necessary due diligence to configure and secure every corner of the system. Shared research indicates this necessity is often being overlooked or just plain ignored, so we can say that the problem with Elasticsearch in part has to do with the shortcomings of some of those using it.

One contributing security researcher even determined how long it would take for hackers to locate, attack, and exploit an unprotected Elasticsearch server when purposely left exposed online. That task was completed in eight hours. Not a short period of time, but also not too long and especially if there’s something significant in it for you if you’ll be the one arranging the leak.

Cloud storage technology is going to continue to be eagerly adopted, and it’s safe to say by this point that nothing is going to curb that eagerness. While cloud technologies certainly have their benefits, improper use of them has very negative consequences. Failing or refusing to understand the security ramifications of this technology can have very serious fallouts, and we’re seeing that now.

As it relates to Elasticsearch, just because a product is freely available and highly scalable doesn’t mean skipping the basic security recommendations and configurations is advisable. In fact, it’s not advisable at all. The problem is that some organizations are putting less of priority on data privacy and security have and more of one on profit as they aim to capitalize on the data-gold rush.

Multiple Breach Methods

Is there only one attack vector for a server to be breached? Not really. In truth, there are a variety of different ways for the contents of a server to be leaked – a password being stolen, hackers infiltrating systems, or even the threat of an insider breaching from within the protected environment itself. The most common, however, occurs when a database is left online without any security (even lacking a password), leaving it open for anyone to access the data.

A lot of what we’re seeing here, if we’re going to be plain about it, is attributable to a poor understanding of the Elasticsearch security features and what is expected from organizations when protecting sensitive customer data. That data security is automatically attributed as a responsibility of the cloud service provider simply isn’t true.

More often than not any attempt at that results in misconfigured or under-protected servers. Cloud security is – and should be – a shared responsibility between the organization’s security team and the cloud service provider.

What we can say is that the organization itself – in this case Elastic – owns the responsibility to perform the necessary due diligence to configure and secure every corner of the system properly to mitigate any potential risks.

To effectively avoid Elasticsearch (or similar) data breaches, a different mindset to data security is required and one that allows data to be a) protected wherever it may exist, and b) by whomever may be managing it on their behalf. This is why a data-centric security model is more appropriate, as it allows a company to secure data and use it while it is protected for analytics and data sharing on cloud-based resources.

Standard encryption-based security is one way to do this, but encryption methods can be a headache and the farthest thing from straightforward. Also, many encryption algorithms can be easily cracked. Tokenization is the better choice, and that’s really what should be seen here if the product manufacturer is seriously interested in rectifying this situation.

Tokenization is a data-centric security method that replaces sensitive information with innocuous representational tokens. So even if the data falls into the wrong hands, no clear meaning can be derived from the tokens. Sensitive information remains protected, and the malicious intention types have no means of capitalizing on the breach and helping themselves to available data that’s not deciphered.

Don’t sour on cloud storage just yet, but if you’re putting sensitive data into the cloud and doing so a large-scale then do be sure to do your homework and be explicitly in the know about what can (and needs) to be done to minimize the risks of data leaks.

Chrome to Debut Truncated URLs to Combat Phishing

Soft consonant constructions are devilishly hard for people who are new to English to understand, and the colloquial form of fishing as ‘phishing’ to describe underhanded and fraudulent information requests on the web is a good example. But if we are to expand on that, many people of any first language will be confused as to why anyone would go to the trouble of ‘phishing’ in the first place.

There’s always going to be people with bad intentions in any walk of life, and yes it does require a significant input of time and effort to set up, test, and then roll out a series of phishing emails or something similar. The reason they go to all of these efforts is – quite plainly – that’s there’s money to be made illicitly when they do find someone who’s gullible enough to click through or do whatever else it is that the phishing email requests of them.

Most younger people who are increasingly more web savvy will be aware enough to avoid falling into the trap, but for others who aren’t that way and have still – like everyone – been forced to exist in an increasingly digital world it is actually a real risk. As a rule, anything that looks amiss with any type of web communication should be a red flag and reason to discard it.

The same goes for any communication that seems ‘odd’ as to why the sender would be sending to you, whether it’s an unsolicited communication or one where it simply seems strange that they would be sending it to you. Here at 4GoodHosting, we can assure you that like any quality Canadian web hosting provider we’ve gone ‘fishing’ many times, but the interest was only ever in catching dinner and enjoying a quiet day on the lake. Obtaining info for fraudulent aims was never part of the equation!

But in all seriousness, this is an ever-bigger issue and in response to it Google is introducing a wrinkle for it’s nearly-ubiquitous Chrome web browser that’s going to make it more difficult for ‘phishers’ to get anyone on the hook.

October’s Here

The Internet giant announced this would debut in October, and here we are on the day after Canadian Thanksgiving so we can safely assume this is going to be arriving soon. But what exactly are we talking about here?

Well, Google will run a trial with their new Chrome 86 browser on its way this month that will hide much of a site’s URL as a way to foil phishing attacks. By experimenting with how URLs are shown in the address bar on desktop platforms, the belief there is that through real-world usage they’re going to find that showing URLs this way will help users realize they’re visiting a malicious website, and protects them from phishing and social engineering attacks.

Participants for the trial phase are going to be chosen randomly. The exact number for how many Chrome users who’ll see the address bar pilot isn’t known, and Enterprise-enrolled devices aren’t going to be included in this Chrome 86 experiment.

Strategic Condensing

Instead of displaying the entire URL in Chrome’s address bar, rather what will happen is that the browser will automatically condense it into what’s going to from hereon out be referred to as the ‘registrable domain,’ or what they are claiming will be the ‘most significant’ part of the domain name. Right, so what’s the criteria for what is or isn’t ‘most significant’ there?

If the full URL for, say, a National Post article is https://www.nationalpost.com/article/3571224/government-to-extend-pandemic-financial-assistance-measures.html then the registrable domain would be nationalpost.com.

The belief here is that by showing only the truncated and now ‘registrable’ domain, it will be more natural for users to look at the address bar and more immediately determine they are in the right place and not being redirected to somewhere they would choose to not be if they weren’t put off from looking at a long and detailed domain at the top of their browser.

Which is fair enough, as most people are in fact naturally inclined to be put off by a long string of letters and characters that they usually see in URLs that are a departure from the home page or something similar.

The idea is that this will ensure they have a means of determining if they’re still at the right place, and not at a malicious site they’d been tricked into visiting. This is important because there are so many different ways that attackers can manipulate URLs to confuse users about a website’s identity, leading to rampant phishing, social engineering and scams.

How to Work With This

For anyone who sees one of these truncated URLs but still has concerns, you can view the complete URL by simply moving the pointer atop the address bar and letting it hover there a moment. This will prompt the Chrome browser to reconstitute the URL to its full form. You can do the same thing this way: Chrome will be showing a new menu item in the right-click menu – ‘Always show full URLs’ – and activating it will set the address bar to show the whole URL for all sites.

How to ‘Spot’ a ‘Bot’, and Steer Clear of Them

If you’re one of the many people who enjoy twitter feeds or even the comments section at your favourite news websites, then you may already be well aware that some of the contributors aren’t exactly sitting or standing somewhere with a mobile device or notebook in front of them like you are. What we’re talking about here is ‘Bots’ and by that’s what means is an fabricated identity created in the digital space and armed with AI to be able to participate in convos and the like to further the interests of whatever interest group might be behind them.

‘Russian’ bots are the flavour of the years these days, and it’s believed that many of these non-animate opinion swayers come from Russia. Truth is, however, bots come from all over the place and these days they are all too commonplace. And they’re likely not going away anytime soon, so it’s good to know what these bots are, what they get up to, and – perhaps most importantly – how you can identify bots and put a whole lot less significance on what they have to say.

Now it needs to be said that here at 4GoodHosting we’re like any other reputable Canadian web hosting provider in that we’ve never created a bot, and in truth despite our familiarity with all things web hosting we wouldn’t even know how to even if we tried. We imagine that’s there are at least a few of out web hosting customers in Canada who have these malevolent means, but that’s neither here nor there.

Let’s spend today talking about what everyday, average individuals like you can actually do to distinguish between a bot and a legit, human contributor.

Looks and Sounds Legit, But…

Sophisticated bots look and act like human users, and it’s true that most bot activity indistinguishable from human activity to the naked eye. Even the majority of bot detection software struggles with being able to identify the entirety of them. This is a problem, and here’s why – with the ability to look like a million different humans at any time you could do a lot that wouldn’t be possible if you only had your one actual identity to work with online.

Among other examples, you could ‘listen’ to a song or ‘watch’ a video as necessary to push it to the top of the charts and quickly create the impression that something is popular or trending. Then there’s the trend of upvoting comments or retweeting content to further political aims – something we’re almost sure to be seeing right now even with upcoming presidential election in the US.

Successful bot-related cybercrime requires to elements for unquestioned success. First is a valuable demographic, and second is the technology to go undetected by intended victims. Getting back to the ‘Russian’ front with this, one of the things that as noted was how Russian interference in UK politics displayed how powerful bots can be in influencing public sentiment.

The current COVID 19 pandemic has this very much on display too. As lockdowns became a reality in the spring and people became increasingly forced to live their lives digitally, cybercriminals were presented with the perfect opportunity and bots have been the perfect tool for all the disruptiveness they’re aiming for.

So how does the less tech-savvy majority of us here in North America even have a clue as to who might be a bot, and who is definitely NOT a bot. But what about ‘good’ bots.

Yes, they exist. So let’s compart the two before getting to ways to identify bots online.

Good Bots / Bad Bots

As we just suggested, bots aren’t always bad. Bots – in their most basic identifiable form – are merely software scripts living on computers, and we should keep in mind that many everyday internet tasks are taken on by bots all the time and we all benefit from that.

These little digital ‘critters’ are essential to search engines and anti-virus companies being able to crawl, analyse, and catalogue data from web servers. It’s only the alternate end of things when bots are used by cybercriminals that the whole thing becomes malicious. We’re talking about stealing login credentials, hacking accounts, spreading disinformation, and so on.

Get thousands of the critters out there working in unison with each other and you have what’s called a botnet. Cybercriminals get a lot of mileage out of these botnets, and that’s not a good thing.

Start with Fraudulent Apps

One of the ways cybercriminals have been making the most of people’s changing behavior is via fraudulent apps, our recent research determined. Looking at apps critically is a good place to start for learning how to identify bots. So how is a person supposed to know if an app is legit.

Here are common identifiers that should put up red flags for you:

Do reviews relate that ads pop up all the time? Even while on the Android homepage?

Do they talk about the app disappearing from the drawer and being unable to uninstall it?

Are they full of complaints that the app doesn’t work?

Is this the only app the app ‘publisher’ has to offer?

Find that the answer is yes to any of the above, and it might be an app full of bots and one that you should consider taking a pass on.

Bots & Account Takeovers

Account takeovers are another good indicator of bots being on the scene. Bots have the ability to use your credentials to log into your accounts, such as banking, ticketing sites, social media platforms and online stores, without ever being detected.

Sure, CAPTCHA security protocols exist, but sometimes they’re insufficiently strong enough to be able to decipher a sophisticated bot from a human. This makes clear how human-like these bots can be. Sophisticated cybercriminal operations even have people working for them to crack CAPTCHA forms for ease of entry. It results in sophisticated bots being able to use your data and your personal information to assume your identity and causing mayhem with your personal accounts.

Examples could be transferring money to themselves via your online banking account, or asking friends and family members to do the same via social media. There’s a lot of possibilities here, and they’re all bad.

Ways to Keep your Accounts Safe

Follow these suggestions and you’ll be better protected against being infected with bots:

  • Avoid using the same password for multiple accounts. Going with a password manager to generate, store and autofill strong passwords is a much better – and safer – choice
  • Skip clicking on any links from suspicious emails or text messages. They could lead to phishing sites or cause you to accidentally download malware
  • Put in place 2-step verification or 2-factor authentication wherever possible. Third-party apps that help you do this are out there
  • Shop online only with reputable brands only, and choose to NOT store your credit card information with any of them

On public Wi-Fi? Use a VPN