Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Exploiting Vulnerabilities In Joomla, WordPress to Distribute Malware

Joomla Vulnerability

Joomla Vulnerability

Attackers are targeting a third-party extension in sites powered by popular Content Management System Joomla to redirect visitors to malicious sites. WordPress sites are also being compromised, but it’s not clear how they are being hijacked.

The SANS Institute’s Internet Storm Center had received numerous reports that Joomla and WordPress sites had been compromised and injected with IFRAMES pointing to malicious sites, John Bambenek, ISC’s incident handler, wrote on the ISC Diary on Monday. Users are eventually being redirected to URLs ending in /nighttrend.cgi?8 and served fake antivirus, he said.

Germany’s Computer Emergency Response Team (CERT-Bund) told heise Security that other URLs have been observed, The H reported. Attackers are embedding an IFRAME into the compromised Joomla site that points to a Sutra Traffic Distribution System, which eventually redirects visitors to an exploit kit, according to CERT-BUND. Sutra Traffic Distribution System allows attackers to buy and well Web traffic to monetize the victims landing on the sites.

“It doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” Bambenek wrote.

Joomla sites appear to be harder hit, although one commenter on the ISC Diary post reported seeing “heavy” brute force attempts from two IP addresses trying to gain admin access on WordPress sites.

According to CERT-BUND’s analysis, it seems the attackers compromised the initial Joomla sites by using a customized automated script that exploited known security flaws in Joomla Content Editor, The H reported. The malicious script injected PHP code that masqueraded as a GIF file into the Web server, and the attackers were able to later call and execute the PHP shell, according to the Joomla Download post (translated). The PHP shell then infected JavaScript files with new IFRAMEs.

JCE is a third-party extension which makes it easy to create Joomla pages without knowing HTML, XHTML, or CSS. The flaws were disclosed in August 2011 and have since then been patched, according to Joomla Download. Bambenek has asked for logs and other information to learn more about the exploit tool. So far he knows the user agent comes in as JCE BOT, “but not much more than that,” Bambenek told SecurityWeek over email.

Bambenek identified two IP addresses behind the attack, although commenters on the ISC Diary post identified a few more addresses. One also said the attacks appeared to be using the domain “freewww.info.”

Advertisement. Scroll to continue reading.

Joomla administrators should check whether they’d installed Joomla Content Editor in the past and still had it installed. If they have JCE, it should be uninstalled or updated to the latest version, JCE 2.3.1. Administrators with an old version of JCE should check their pages for any suspicious IFRAMEs.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.