#pentest | #cissp | Sophisticated botnet feasts on old vulnerability to exploit content management systems

KashmirBlack abused to run ongoing cryptomining, spamming, and defacement attacks

Security researchers have lifted the lid on a prolific botnet that relies on a decade-old vulnerability to infect popular Content Management Systems (CMS).

KashmirBlack exploits the long patched PHPUnit remote code execution (RCE) vulnerability (CVE-2017-9841) to infect systems running WordPress, Joomla, and other CMS platforms.

“The hacker is likely targeting CMS because they are notorious for poor cyber hygiene, as many people use old versions, unsupported plug-ins, and weak passwords,” according to security researchers at Imperva.

The Israeli cybersecurity firm went public with a technical write-up about the botnet on Thursday (October 22) following a six-month investigation.

The compromised network of CMS servers has been abused by cybercriminals for cryptomining, spamming, and defacement, with different payloads and instructions being delivered as the botnet abuse evolved over time.


The botnet, which first emerged in or around November 2019 and remains active, has spread across 30 countries and performs millions of attacks every day.

KashmirBlack is managed by a single command and control (C&C) server and uses more than 60 additional servers – mostly innocent surrogates – as part of its infrastructure.

It handles hundreds of thousands of bots, each communicating with the C&C server ​to receive new targets, perform brute-force attacks, install backdoors, and grow the botnet further still.

In addition, the botnet exploits a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation.

Catch up on the latest cyber-attack news

The attack is likely linked to an Indonesian cybercrime group known for defacement, according to Imperva.

The threat intelligence team said they identified a member of ‘PhantomGhost’, an active hacking crew that typically focuses on defacement.

The hacker, ‘Exect1337’, allegedly left a marker within their code, which gave the botnet its name: ‘KashmirBlack’.


KashmirBlack is much more sophisticated than the average botnet. “It has a well-designed infrastructure that can expand and add new exploits or payloads without much effort,” according to Imperva.

The researchers created a honeypot of vulnerable systems to attract the botnet. Once infected, this allowed researchers to see exactly how the different entities that made up the botnet interacted with one another, effectively exposing the inner workings of KashmirBlack to scrutiny.

Three days after the honeypot was infected, the botnet maintainer apparently grew suspicious and updated the reporting address, freezing the researchers out – showing how quick and responsive the botnet is to outside threats, Imperva reports.

READ MORE Microsoft launches machine learning cyber-attack threat matrix

This limited timeframe was nonetheless long enough for Imperva’s researchers to uncover evidence of popular software development frameworks and methodologies – such as DevOps and Agile – being used to help the botnet adapt and evolve to new payloads and instructions.

KashmirBlack Uses repositories, such as GitHub, to store malicious code and script.

The botnet recently entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C&C.

The botnet uses “sophisticated methods to camouflage itself, exploiting a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation,” according to Imperva.

Zombie disinfection advice

Nadav Avital, head of threat research at the Israeli security firm, said: “If you discover that you are in the botnet, then you must kill the malicious processes and remove the malicious files and jobs. You will then need to investigate whether the infection has spread and compromised any other data or systems.”

Imperva emphasized that prevention of infection is better than cure.

“Organisations need to practice good cyber hygiene by removing unused plugins and themes; ensuring the CMS core files and third-party modules are always up to date and properly configured; denying access to sensitive files and paths, such as install.php, wp-config.php, and eval-stdin.php,” Avital advised.

An Imperva spokesperson told The Daily Swig that the “attack was spread across the major CMS platforms with no favourability towards any one. The highest propensity was WordPress and Joomla, because of their popularity and wide-spread use,” they added.

Use of strong and unique passwords on CMS servers – as a defense against brute-force attacks – and the deployment of a web application firewall are also recommended by Imperva as a general defense against KashmirBlack and similar threats.

YOU MIGHT ALSO LIKE Vulnerable WordPress plugin could allow full site takeover

Click here to go to the original Source of this story.


Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

Leave a Reply