Threat Watch

KashmirBlack Botnet Attacking Outdated Content Management Systems

Researchers from Imperva released a report about the KashmirBlack botnet, which has grown significantly over the last six months and is now capable of attacking thousands of websites per day. The botnet targets websites running unpatched Content Management Systems (CMS) including WordPress, Joomla and Drupal, Magento and vBulletin—taking control of those sites by exploiting known vulnerabilities to install crypto-mining malware and redirect website visitors to malicious URLs or advertising. Some of the vulnerabilities exploited include WordPress xmlrpc.php login brute-force attack, Magento local file inclusion (CVE-2015-2067), vBulletin Widget RCE (CVE-2019-16759). Some of the vulnerabilities are many years old, and all have patches available to mitigate them. The problem is that so many websites are set up and then abandoned or never patched again.

ANALYST NOTES

As the botnet grows, it is possible that the operators will lease the use of compromised servers to other cyber-criminal groups to distribute malware to victim computers. Malware operators prefer using compromised websites that have existed for a while and are not in any security tools’ block lists yet. Companies that operate websites should keep them up to date with the latest patches, including security updates for plug-ins, which are frequently abused by threat actors.

For more information, please see:
• https://www.zdnet.com/article/kashmirblack-botnet-behind-attacks-on-cmss-like-wordpress-joomla-drupal-others/
• https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/
• https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/