CMS platforms succumb to KashmirBlack botnet as businesses rush online

Businesses warned to prioritise security as coronavirus forces many to ply their trade digitally

An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting an old vulnerability to target widely-used content management systems (CMS).

Dubbed KashmirBlack, this sophisticated botnet has a well-designed infrastructure made up of a single command and control (C&C) server, and more than 60 surrogate servers.

The botnet exploits the PHPUnit remote code execution vulnerability, a well-known flaw that’s almost a decade old, that's present in a number of older CMS platforms. These kinds of platforms are notorious for their poor cyber hygiene, mainly because many users deploy legacy versions, use unsupported plugins, and often set weak passwords, according to researchers with Imperva.

This particular flaw is known and entirely patchable, however, the botnet has managed to capitalise on a sudden surge in the number of companies that have been disrupted by the coronavirus pandemic, which now require easy to use web frameworks to help move their business online. This includes well-known platforms like WordPress, the researchers claim.

The team have published technical details around KashmirBlack following a six-month undercover investigation, monitoring its evolution over time and the nature of its underlying infrastructure.

The operation, which began around November 2019, is now made up of hundreds of thousands of bots organised in a highly sophisticated architecture, making millions of attacks each day. The researchers claim its architecture “works like magic”, with attackers able to expand and add new exploits or payloads without much effort at all.

KashmirBlack also uses sophisticated methods to camouflage itself, as well as exploiting a number of vulnerabilities to maintain uptime and protect its operation. Imperva also uncovered evidence of widely-used software development frameworks and methodologies, including DevOps and Agile, that the hackers are deploying to help the botnet evolve and add new targets with ease.

“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said security researcher at Imperva, Ofir Shaty, who co-authored the research.

“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”

The botnet itself appears to specialise in cryptocurrency mining, spamming, and defacement, although priorities have shifted over time. This capacity to shift focus also allows the botnet to change which repositories it may use to store malicious code and scripts deployed.

Researchers believe the KashmirBlack botnet recently evolved to use the popular cloud-based service Dropbox to replace its C&C server. They found evidence that the Dropbox API is being used to fetch attack instructions and upload reports from ‘spreading bots’.

Moving to this type of system also allows the botnet to hide criminal activity behind legitimate web services, working to camouflage the botnet traffic and secure the operation.

Based on a hacking signature, Imperva has identified the hacker known as 'Exect1337' as being part of the crew running the botnet. This individual is a member of the Indonesian group PhantomGhost, which normally focuses on defacement. This individual also accidentally left a marker within the botnet code, which gave rise to the name KashmirBlack.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

BillQuick billing software exploit lets hackers deploy ransomware
Security

BillQuick billing software exploit lets hackers deploy ransomware

26 Oct 2021
Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021