CMS platforms succumb to KashmirBlack botnet as businesses rush online

Businesses warned to prioritise security as coronavirus forces many to ply their trade digitally

An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting an old vulnerability to target widely-used content management systems (CMS).

Dubbed KashmirBlack, this sophisticated botnet has a well-designed infrastructure made up of a single command and control (C&C) server, and more than 60 surrogate servers.

The botnet exploits the PHPUnit remote code execution vulnerability, a well-known flaw that’s almost a decade old, that's present in a number of older CMS platforms. These kinds of platforms are notorious for their poor cyber hygiene, mainly because many users deploy legacy versions, use unsupported plugins, and often set weak passwords, according to researchers with Imperva.

This particular flaw is known and entirely patchable, however, the botnet has managed to capitalise on a sudden surge in the number of companies that have been disrupted by the coronavirus pandemic, which now require easy to use web frameworks to help move their business online. This includes well-known platforms like WordPress, the researchers claim.

The team have published technical details around KashmirBlack following a six-month undercover investigation, monitoring its evolution over time and the nature of its underlying infrastructure.

The operation, which began around November 2019, is now made up of hundreds of thousands of bots organised in a highly sophisticated architecture, making millions of attacks each day. The researchers claim its architecture “works like magic”, with attackers able to expand and add new exploits or payloads without much effort at all.

KashmirBlack also uses sophisticated methods to camouflage itself, as well as exploiting a number of vulnerabilities to maintain uptime and protect its operation. Imperva also uncovered evidence of widely-used software development frameworks and methodologies, including DevOps and Agile, that the hackers are deploying to help the botnet evolve and add new targets with ease.

“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said security researcher at Imperva, Ofir Shaty, who co-authored the research.

“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”

The botnet itself appears to specialise in cryptocurrency mining, spamming, and defacement, although priorities have shifted over time. This capacity to shift focus also allows the botnet to change which repositories it may use to store malicious code and scripts deployed.

Researchers believe the KashmirBlack botnet recently evolved to use the popular cloud-based service Dropbox to replace its C&C server. They found evidence that the Dropbox API is being used to fetch attack instructions and upload reports from ‘spreading bots’.

Moving to this type of system also allows the botnet to hide criminal activity behind legitimate web services, working to camouflage the botnet traffic and secure the operation.

Based on a hacking signature, Imperva has identified the hacker known as 'Exect1337' as being part of the crew running the botnet. This individual is a member of the Indonesian group PhantomGhost, which normally focuses on defacement. This individual also accidentally left a marker within the botnet code, which gave rise to the name KashmirBlack.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Colonial Pipeline reportedly paid $5 million ransom
Security

Colonial Pipeline reportedly paid $5 million ransom

13 May 2021
Report finds ransomware hitting manufacturers hardest
hacking

Report finds ransomware hitting manufacturers hardest

13 May 2021
Over two-thirds of companies still run software with WannaCry flaw
WannaCry

Over two-thirds of companies still run software with WannaCry flaw

12 May 2021
IT researcher finds widespread flaws in Wi-Fi security
wifi & hotspots

IT researcher finds widespread flaws in Wi-Fi security

12 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell XPS 17 (2021) review: A big laptop for big jobs
Laptops

Dell XPS 17 (2021) review: A big laptop for big jobs

10 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021