A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.
Thousands of sites have been compromised in the attack campaign, which was noted by Versafe after the company detected a spike in attacks against Joomla sites in the first half of 2013. The attackers used a zero-day exploit to take over servers and ultimately launch phishing and malware attacks against anyone who visited the compromised sites.
“For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period (“.”) to the end of a php file (php.),” Versafe CEO Eyal Gruner told SecurityWeek. “For sites powered by unsupported versions of Joomla (1.5.x) attackers don’t even need to have an account on the Joomla server to gain access.”
The attackers’ IP addresses are believed to originate in China, and the victimized sites are spread throughout the globe. Many of the compromised servers redirected users to a page serving the Blackhole exploit kit that infected them with a variant of Zbot.
The report from Versafe follows a report of separate attack campaign seen by Arbor Networks. In the case, researchers at Arbor Networks found that more than 6,000 sites powered by Joomla, WordPress and Datalife Engine had been targeted in brute force attacks launched by a botnet dubbed ‘Fort Disco.’
CMS systems are a good target because they are widely used, Gruner said. In addition, open source CMS systems in particular were not necessarily built with security in mind, he said.
“It is safe to assume that the compromised sites were not the intended targets, but used as a launchpad to launch attacks against banks,” he explained. “As far as how to protect against these attacks, since banks and other FI’s always tend to be targets, any critical data between end-users and their financial organization is encrypted/protected, and in general, organizations need to adopt more proactive, “always on” ways to secure against these and other types of zero-day attacks.”
“The attacks are still ongoing from many of the Joomla systems that had already been infiltrated,” he added. “Those that are now patched, and hadn’t been previously compromised, should be OK. All Joomla CMS users should upgrade to at least 2.5.x, if not the latest 3.1.x and be aware that these systems may have other yet-to-be-discovered vulnerabilities that might be quickly exploited.”