Lucky
Regular
- Joined
- 14.09.20
- Messages
- 98
- Reaction score
- 433
- Points
- 33
Hundreds of thousands of sites running popular content management systems (CMS) WordPress, Joomla, Magneto and Drupal were hacked and included in the kashmirblack botnet, used by cybercriminals for cryptocurrency mining, fraud and deface.
According to the information security company Imperva, the malware uses a modular infrastructure that includes features such as load balancing when connecting to C&C servers and storing files in legitimate cloud storage such as Dropbox and GitHub to speed up the access of infected systems to code updates.
KashmirBlack mainly infects sites based on popular CMS, exploiting dozens of known vulnerabilities and carrying out millions of attacks a day. According to Imperva analyst Ofir Shaty, botnet operators have chosen such an infection vector for a reason. As a rule, site administrators do not install new CMS updates in time, so they can be hacked through known vulnerabilities. Attackers chose this vector because it provides a high efficiency of attacks to ensure the rapid growth of the botnet.
A single malware-infected site can attack 240 hosts or 3,450 sites daily. According to the researchers ' calculations, over the past 11 months, 285 bot systems they discovered, with an estimated success rate of 1%, hacked about 230 thousand sites.
The high-performance botnet architecture, designed to make it easier to update bots, made a big impression on researchers. The botnet uses two clusters of infected systems as repositories for code and exploits, and also divides bots into actively searching for new systems and waiting for instructions. According to the researchers, load balancing features were added to the repository to improve responsiveness and availability.
In addition, the botnet has changed rapidly over the past 11 months. For example, in September, botnet operators started using the Dropbox API to store logs of their operations and receive commands. Using legitimate cloud services (including GitHub and Pastebin) makes it difficult to detect traffic between bots and C&C servers.
"A botnet can easily disguise itself as legitimate traffic. Services do not detect it, because the bot just stores files. There is no malicious functionality, " Shati explained.
Most servers are engaged in mining cryptocurrency or sending spam, but in some cases, the botnet seems to be used for defacing. Using one deface signature, researchers found a clue to the identity of the botnet operator, hacker Exect1337, who is a member of the Indonesian hacker group PhantomGhost.
According to the information security company Imperva, the malware uses a modular infrastructure that includes features such as load balancing when connecting to C&C servers and storing files in legitimate cloud storage such as Dropbox and GitHub to speed up the access of infected systems to code updates.
KashmirBlack mainly infects sites based on popular CMS, exploiting dozens of known vulnerabilities and carrying out millions of attacks a day. According to Imperva analyst Ofir Shaty, botnet operators have chosen such an infection vector for a reason. As a rule, site administrators do not install new CMS updates in time, so they can be hacked through known vulnerabilities. Attackers chose this vector because it provides a high efficiency of attacks to ensure the rapid growth of the botnet.
A single malware-infected site can attack 240 hosts or 3,450 sites daily. According to the researchers ' calculations, over the past 11 months, 285 bot systems they discovered, with an estimated success rate of 1%, hacked about 230 thousand sites.
The high-performance botnet architecture, designed to make it easier to update bots, made a big impression on researchers. The botnet uses two clusters of infected systems as repositories for code and exploits, and also divides bots into actively searching for new systems and waiting for instructions. According to the researchers, load balancing features were added to the repository to improve responsiveness and availability.
In addition, the botnet has changed rapidly over the past 11 months. For example, in September, botnet operators started using the Dropbox API to store logs of their operations and receive commands. Using legitimate cloud services (including GitHub and Pastebin) makes it difficult to detect traffic between bots and C&C servers.
"A botnet can easily disguise itself as legitimate traffic. Services do not detect it, because the bot just stores files. There is no malicious functionality, " Shati explained.
Most servers are engaged in mining cryptocurrency or sending spam, but in some cases, the botnet seems to be used for defacing. Using one deface signature, researchers found a clue to the identity of the botnet operator, hacker Exect1337, who is a member of the Indonesian hacker group PhantomGhost.