Researchers uncover botnet targeting decade-old CMS vulnerability
The results of a six-month investigation into a botnet that targets a vulnerability in content management systems have been released today by Imperva Research Labs.
The botnet known as 'KashmirBlack' first appeared around November 2019 and is still active. It's managed by a single command and control server and uses more than 60 servers -- mostly innocent surrogates -- as part of its infrastructure.
KashmirBlack exploits the PHPUnit RCE vulnerability to infect its victim -- despite it being a known, patchable vulnerability that is almost a decade old. The hackers are likely targeting CMS because they are notorious for poor cyber hygiene, as many people use old versions, unsupported plug-ins, and weak passwords. The pandemic has created more opportunities for the botnet, as more businesses are in need of easy web frameworks, like WordPress, to digitize their business operations.
The research finds this is more sophisticated than the average botnet. It has a well-designed infrastructure that can expand and add new exploits or payloads without much effort. It also uses sophisticated methods to camouflage itself, exploiting a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation. There's also evidence of commercial development frameworks -- such as DevOps and Agile -- being used to help the botnet adapt and evolve to new payloads and instructions with ease.
"This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity," says Ofir Shaty, security researcher at Imperva, who co-authored the research. "The level of orchestration is remarkable. It's a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue."
You can read more on the Imperva blog.