Connect with us

Hi, what are you looking for?


Malware & Threats

Joomla Patches Zero-Day Used in Mass Attacks of Thousands of Websites

A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.

A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.

Thousands of sites have been compromised in the attack campaign, which was noted by Versafe after the company detected a spike in attacks against Joomla sites in the first half of 2013. The attackers used a zero-day exploit to take over servers and ultimately launch phishing and malware attacks against anyone who visited the compromised sites.

“For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period (“.”) to the end of a php file (php.),” Versafe CEO Eyal Gruner told SecurityWeek. “For sites powered by unsupported versions of Joomla (1.5.x) attackers don’t even need to have an account on the Joomla server to gain access.”

The attackers’ IP addresses are believed to originate in China, and the victimized sites are spread throughout the globe. Many of the compromised servers redirected users to a page serving the Blackhole exploit kit that infected them with a variant of Zbot.

The report from Versafe follows a report of separate attack campaign seen by Arbor Networks. In the case, researchers at Arbor Networks found that more than 6,000 sites powered by Joomla, WordPress and Datalife Engine had been targeted in brute force attacks launched by a botnet dubbed ‘Fort Disco.’

CMS systems are a good target because they are widely used, Gruner said. In addition, open source CMS systems in particular were not necessarily built with security in mind, he said.

“It is safe to assume that the compromised sites were not the intended targets, but used as a launchpad to launch attacks against banks,” he explained. “As far as how to protect against these attacks, since banks and other FI’s always tend to be targets, any critical data between end-users and their financial organization is encrypted/protected, and in general, organizations need  to adopt more proactive, “always on”  ways to secure against these and other types of zero-day attacks.”

Advertisement. Scroll to continue reading.

“The attacks are still ongoing from many of the Joomla systems that had already been infiltrated,” he added. “Those that are now patched, and hadn’t been previously compromised, should be OK. All Joomla CMS users should upgrade to at least 2.5.x, if not the latest 3.1.x and be aware that these systems may have other yet-to-be-discovered vulnerabilities that might be quickly exploited.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...