New CMS-Based Botnet Cyber Attack a Real Doozy

If there’s one thing those of us who do content and communications exclusively will know like the back our hands, it’s a CMS of one sort or another. If you don’t know what that abbreviation stands for, it’s Content Management System. Even if you’ve never used WordPress, you’ll almost certainly still have heard of it and it’s pretty much the original CMS and is the one most used by people all over the world. And that’s not just for blogs like this one.

Here at 4GoodHosting, our expertise is in web hosting in the same way it will be for any good Canadian web hosting provider, but any and all of us will also know how integral content is to SERPs and the like. That’s why the KashmirBlack botnet is such a newsmaker in the digital world today, and for good reason.

Now at this point you’re probably saying ‘what?’, and that’s to be expected given the exotic name given to this malicious little critter. Name aside, you may even be asking what exactly is a botnet? We can answer that. A botnet is a type of malicious attack where a series of connected computers are utilized to attack or promote failure of a network, network device, website or IT environment, and usually done with the intention to disrupt normal working operations or degrade the system’s service capacities.

Now with this new KashmirBlack botnet, we shouldn’t assume that it has originated in India, or that those who created it are huge fans of the classic Led Zeppelin song. Really it’s just a name. What is worth talking about, though, is what this and why it’s showing itself to be so problematic.

Mining, Malicious Redirects, and Defacing

So let’s get into what you might need to know about this if you’re the person behind a website, any website and one being utilized for whatever aims. Imperva is a web security research organization that’s fairly reputable and held in high regard in the digital community worldwide, and they’re the ones who have discovered and tracked the KashmirBlack botnet.

Their research has indicated that this botnet is responsible for infecting hundreds of thousands of websites, and does so by going after their content management system (CMS) platforms.

It’s believed this botnet has been in operation since November of last year. It wasn’t much more than a blip in the beginning, but since then it’s really grown and expanded its reach. The consensus is now that it has evolved into a sophisticated operation that has the capacity to attack thousands of sites every day.

How exactly it works, and why it does what it does, can be summarized this way; the botnet’s main purpose is to infect websites in order to use their servers for one or more of the following illicit aims:

  1. to mine cryptocurrency
  2. to redirect legitimate web traffic to spam pages
  3. display web defacements, including pictures of Vancouver sluts in action

Which then natural leads to the question of which CMS are most at risk. This botnet has already had success infiltrating a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager, and then targeting vulnerabilities within them that may be unique to one CMS in comparison to another.

Then, as you might guess, a ‘one-size-fits-all’ solution becomes less likely, as all these different CMS are configured and built differently, and have vulnerabilities that my be unique to them.

Vulnerability Finder

The KashmirBlack botnet mainly infects popular CMS platforms. It makes use of dozens of known vulnerabilities on its victims’ servers, and performs millions of attacks per day on average. Victims who’ve identified themselves as being victims of KashmirBlack are in more than 30 different countries around the world.

To explain more, it has a complex operation managed by one specific command and control server and uses in excess of 60 servers as part of its infrastructure. Hundreds of bots are handled and dispersed when opportunities are identified, with each one then communicating with the C&C to receive new targets, carry out force attacks, install backdoors, and expand the botnet’s size and capacities accordingly.

The size expansion part of it is done by expanding searches for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities to infect both the vulnerable site and its underlying server. And that’s happened some 16 different times in the last year, but it’s picking up speed and CMS like Joomla!, Magento, Yeager, WordPress, and vBulletin are most at risk, and particularly when working on outdated software.

This is really where you can identify yourself as a more likely potential victim if your CMS is operating on outdated software.

If there’s one thing those of us who do content and communications exclusively will know like the back our hands, it’s a CMS of one sort or another. If you don’t know what that abbreviation stands for, it’s Content Management System. Even if you’ve never used WordPress, you’ll almost certainly still have heard of it and it’s pretty much the original CMS and is the one most used by people all over the world. And that’s not just for blogs like this one.

Here at 4GoodHosting, our expertise is in web hosting in the same way it will be for any good Canadian web hosting provider, but any and all of us will also know how integral content is to SERPs and the like. That’s why the KashmirBlack botnet is such a newsmaker in the digital world today, and for good reason.

Now at this point you’re probably saying ‘what?’, and that’s to be expected given the exotic name given to this malicious little critter. Name aside, you may even be asking what exactly is a botnet? We can answer that. A botnet is a type of malicious attack where a series of connected computers are utilized to attack or promote failure of a network, network device, website or IT environment, and usually done with the intention to disrupt normal working operations or degrade the system’s service capacities.

Now with this new KashmirBlack botnet, we shouldn’t assume that it has originated in India, or that those who created it are huge fans of the classic Led Zeppelin song. Really it’s just a name. What is worth talking about, though, is what this and why it’s showing itself to be so problematic.

Mining, Malicious Redirects, and Defacing

So let’s get into what you might need to know about this if you’re the person behind a website, any website and one being utilized for whatever aims. Imperva is a web security research organization that’s fairly reputable and held in high regard in the digital community worldwide, and they’re the ones who have discovered and tracked the KashmirBlack botnet.

Their research has indicated that this botnet is responsible for infecting hundreds of thousands of websites, and does so by going after their content management system (CMS) platforms.

It’s believed this botnet has been in operation since November of last year. It wasn’t much more than a blip in the beginning, but since then it’s really grown and expanded its reach. The consensus is now that it has evolved into a sophisticated operation that has the capacity to attack thousands of sites every day.

How exactly it works, and why it does what it does, can be summarized this way; the botnet’s main purpose is to infect websites in order to use their servers for one or more of the following illicit aims:

  1. to mine cryptocurrency
  2. to redirect legitimate web traffic to spam pages
  3. display web defacements, including pictures of Vancouver sluts in action

Which then natural leads to the question of which CMS are most at risk. This botnet has already had success infiltrating a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager, and then targeting vulnerabilities within them that may be unique to one CMS in comparison to another.

Then, as you might guess, a ‘one-size-fits-all’ solution becomes less likely, as all these different CMS are configured and built differently, and have vulnerabilities that my be unique to them.

Vulnerability Finder

The KashmirBlack botnet mainly infects popular CMS platforms. It makes use of dozens of known vulnerabilities on its victims’ servers, and performs millions of attacks per day on average. Victims who’ve identified themselves as being victims of KashmirBlack are in more than 30 different countries around the world.

To explain more, it has a complex operation managed by one specific command and control server and uses in excess of 60 servers as part of its infrastructure. Hundreds of bots are handled and dispersed when opportunities are identified, with each one then communicating with the C&C to receive new targets, carry out force attacks, install backdoors, and expand the botnet’s size and capacities accordingly.

The size expansion part of it is done by expanding searches for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities to infect both the vulnerable site and its underlying server. And that’s happened some 16 different times in the last year, but it’s picking up speed and CMS like Joomla!, Magento, Yeager, WordPress, and vBulletin are most at risk, and particularly when working on outdated software.

This is really where you can identify yourself as a more likely potential victim if your CMS is operating on outdated software.

To conclude here today, FWIW it’s believed that an Indonesian hacking group ‘PhantomGhost’ is behind KashmirBlack.

Post Navigation