An energetic botnet comprising a whole bunch of hundreds of hijacked methods unfold throughout 30 international locations is exploiting “dozens of recognized vulnerabilities” to focus on widely-used content material administration methods (CMS).
The “KashmirBlack” marketing campaign, which is believed to have began round November 2019, goals for widespread CMS platforms akin to WordPress, Joomla!, PrestaShop, Magneto, Drupal, Vbulletin, OsCommerence, OpenCart, and Yeager.
“Its well-designed infrastructure makes it straightforward to broaden and add new exploits or payloads with out a lot effort, and it makes use of subtle strategies to camouflage itself, keep undetected, and shield its operation,” Imperva researchers mentioned in a two-part evaluation.
The cybersecurity agency’s six-month-long investigation into the botnet reveals a fancy operation managed by one command-and-control (C2) server and greater than 60 surrogate servers that talk with the bots to ship new targets, permitting it to broaden the scale of the botnet by way of brute power assaults and set up of backdoors.
The first objective of KashmirBlack is to abuse sources of compromised methods for Monero cryptocurrency mining and redirect an internet site’s authentic site visitors to spam pages. But it surely has additionally been leveraged to hold out defacement assaults.
Whatever the motive, the exploitation makes an attempt start with making use of PHPUnit RCE vulnerability (CVE-2017-9841) to contaminate prospects with next-stage malicious payloads that talk with the C2 server.
Based mostly on the assault signature it discovered throughout as soon as such defacements, Imperva researchers mentioned they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.
KashmirBlack’s infrastructure is complicated and includes quite a lot of shifting components, together with two separate repositories — one to host exploits and payloads, and the opposite to retailer the malicious script for communication with the C2 server.
The bots themselves are both designated as a ‘spreading bot,’ a sufferer server that communicates with the C2 to obtain instructions to contaminate new victims, or a ‘pending bot,’ a newly compromised sufferer whose objective within the botnet is but to be outlined.
Whereas CVE-2017-9841 is used to show a sufferer right into a spreading bot, profitable exploitation of 15 completely different flaws in CMS methods results in a sufferer website turning into a brand new pending bot within the botnet. A separate WebDAV file add vulnerability has been employed by the KashmirBlack operators to end in defacement.
However simply because the botnet grew in measurement and extra bots started fetching payloads from the repositories, the infrastructure was tweaked to make it extra scalable by including a load balancer entity that returns the deal with of one of many redundant repositories that have been newly setup.
The most recent evolution of KashmirBlack is maybe probably the most insidious one. Final month, the researchers discovered the botnet utilizing Dropbox as a alternative for its C2 infrastructure, abusing the cloud storage service’s API to fetch assault directions and add assault experiences from the spreading bots.
“Shifting to Dropbox permits the botnet to cover illegitimate prison exercise behind authentic net providers,” Imperva mentioned. “It’s one more step in direction of camouflaging the botnet site visitors, securing the C&C operation and, most significantly, making it troublesome to hint the botnet again to the hacker behind the operation.”