CMS platforms succumb to KashmirBlack botnet as businesses rush online

Businesses warned to prioritise security as coronavirus forces many to ply their trade digitally

An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting an old vulnerability to target widely-used content management systems (CMS).

Dubbed KashmirBlack, this sophisticated botnet has a well-designed infrastructure made up of a single command and control (C&C) server, and more than 60 surrogate servers.

The botnet exploits the PHPUnit remote code execution vulnerability, a well-known flaw that’s almost a decade old, that's present in a number of older CMS platforms. These kinds of platforms are notorious for their poor cyber hygiene, mainly because many users deploy legacy versions, use unsupported plugins, and often set weak passwords, according to researchers with Imperva.

This particular flaw is known and entirely patchable, however, the botnet has managed to capitalise on a sudden surge in the number of companies that have been disrupted by the coronavirus pandemic, which now require easy to use web frameworks to help move their business online. This includes well-known platforms like WordPress, the researchers claim.

The team have published technical details around KashmirBlack following a six-month undercover investigation, monitoring its evolution over time and the nature of its underlying infrastructure.

The operation, which began around November 2019, is now made up of hundreds of thousands of bots organised in a highly sophisticated architecture, making millions of attacks each day. The researchers claim its architecture “works like magic”, with attackers able to expand and add new exploits or payloads without much effort at all.

KashmirBlack also uses sophisticated methods to camouflage itself, as well as exploiting a number of vulnerabilities to maintain uptime and protect its operation. Imperva also uncovered evidence of widely-used software development frameworks and methodologies, including DevOps and Agile, that the hackers are deploying to help the botnet evolve and add new targets with ease.

“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said security researcher at Imperva, Ofir Shaty, who co-authored the research.

“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”

The botnet itself appears to specialise in cryptocurrency mining, spamming, and defacement, although priorities have shifted over time. This capacity to shift focus also allows the botnet to change which repositories it may use to store malicious code and scripts deployed.

Researchers believe the KashmirBlack botnet recently evolved to use the popular cloud-based service Dropbox to replace its C&C server. They found evidence that the Dropbox API is being used to fetch attack instructions and upload reports from ‘spreading bots’.

Moving to this type of system also allows the botnet to hide criminal activity behind legitimate web services, working to camouflage the botnet traffic and secure the operation.

Based on a hacking signature, Imperva has identified the hacker known as 'Exect1337' as being part of the crew running the botnet. This individual is a member of the Indonesian group PhantomGhost, which normally focuses on defacement. This individual also accidentally left a marker within the botnet code, which gave rise to the name KashmirBlack.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

Mutualink’s new interoperability platform offers real-time situational awareness
platform as a service (PaaS)

Mutualink’s new interoperability platform offers real-time situational awareness

2 Aug 2021
PwnedPiper flaws threaten infrastructure of 80% of US hospitals
Security

PwnedPiper flaws threaten infrastructure of 80% of US hospitals

2 Aug 2021
How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021

Most Popular

Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021