Hackers are exploiting a known vulnerability in a Google Maps plugin for Joomla to launch distributed denial-of-service attacks against enterprises.
According to Akamai Technologies’ Prolexic Security Engineering and Response Team (PLXsert), the vulnerability allows attackers to turn Joomla servers using the plugin into proxies for their attacks.
“Over the course of the last three months, we have been able to validate several of these DDoS campaigns targeting our customers and a number of these campaigns are still on-going,” David Fernandez, manager of the Akamai PLXsert team, told SecurityWeek. “This is precisely why we rated this advisory as a high risk factor, because it’s low-cost to access and easy to execute.”
In February 2014, multiple vulnerabilities were discovered in the Google Maps plugin for Joomla. Among the vulnerabilities is a bug that allows the plugin to act as a proxy. According to Akamai, attackers have been leveraging the vulnerable installations en masse for reflected floods using tools such as DAVOSET and UFONet. With help from PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division), Akamai matched DDoS signature traffic originating from multiple Joomla sites and ultimately identified more than 150,000 potential Joomla reflectors on the Web.
“The attack campaigns contain traffic signatures that match sites known for providing DDoS-for-hire services,” Akamai states in its advisory. “The traffic appears to match attacks staged using tools developed specifically to abuse XML and Open Redirect functions, which then produce a reflected response that can be directed to targeted victims and result in denial of service. These tools are rapidly gaining popularity and are being adapted by the DDoS-Observed attack traffic and data suggest vulnerable hosts are being added to the menu of attacks on known DDoS-for-hire sites. The new attack type uses compromised Joomla servers as zombies or proxies to stage denial of service GET floods.”
The signatures of this attack have been observed since September 2014. So far in 2015, Akamai has detected eight of the attacks against its customers. Most of the victims have been in the education vertical, however financial and media organizations have been impacted as well. The largest source for attack traffic has been Germany (31.8 percent), though the United States (22.1 percent) and Poland (17.9 percent) have been top sources for attack traffic as well.
Reflection techniques appear to be all the rage for DDoS attackers. During the fourth quarter of 2014, Akamai researchers observed 39 percent of all DDoS attack traffic used reflection techniques, which take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device. The DAVOSET tool makes using this tactic even easier, as it ships with a default list of servers that leverage the vulnerability of the Google Maps plugin.
According to Akamai, the tool takes a list of known blind proxy scripts and services and uses them to stage a reflected GET flood against a target. DAVOSET also allows an attacker to configure their lists of reflectors, the number of requests per reflector, and proxy configurations to automate these attacks.
Like DAVOSET, the UFONet tool also uses a web interface and has a point-and-click configuration process. UFONet also automates the process of finding and testing vulnerable reflectors and supports community-based list sharing and updating – though as of now it only has a small set of community reflectors and its reflector testing logic contains bugs, according to Akamai.
Besides using the Snort rules provided in the advisory, Akamai recommends organizations also consider blocking HTTP GET /1.0 request traffic and HTTP requests with a PHP-based User-Agent string if they are not needed.
“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager in the Security Business Unit at Akamai, in a statement. “This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS.”