Cybersecurity researchers have unearthed a massive botnet network called KashmirBlack, being run from Indonesia, that has attacked websites running popular content management systems (CMSs) like WordPress, Drupal, and Joomla!, among others.
The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cybersecurity firm Imperva.
The botnet’s primary purpose appears to infect websites, and then use their servers for cryptocurrency mining.
Based in Indonesia, the hackers have a command-and-control (C&C) infrastructure to operate KashmirBlack.
According to researchers, the botnet is the work of a hacker named “Exect1337”, a member of the Indonesian hacker crew PhantomGhost.
A C&C server is a centralized machine able to send commands and receive telemetries from machines that are part of a botnet.
“The KashmirBlack C&C has three main roles: Supply a Perl script that infects the victim server with the botnet malicious script, receive reports of findings and attack results from bots and supply bots with attack instructions,” said Imperva in a two-part series.
“By analysing the attack instructions received by our dummy ‘spreading bot’, we discovered that most of the attack’s target victim sites were located in the US,” the researchers noted.
The KashmirBlack C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction with the newly- found sites, and pushes it into a queue waiting for bots to receive them and attack.
The team found more than 20 distinct exploits.
Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries, reports ZDNet.
“During our research, we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” said Imperva researchers.
The team advised several actions that should be performed in case your server is infected by the KashmirBlack botnet.
“Kill malicious processes, remove malicious files, remove suspicious and unfamiliar jobs, and remove unused plugins and themes”.
The site administrator should ensure the CMS core files and third-party modules are always up-to-date and properly configured.
“Strong and unique passwords are recommended, as they are the first defense against brute force attacks,” Imperva said.