Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Joomla Patches Zero-Day Used in Mass Attacks of Thousands of Websites

A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.

A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.

Thousands of sites have been compromised in the attack campaign, which was noted by Versafe after the company detected a spike in attacks against Joomla sites in the first half of 2013. The attackers used a zero-day exploit to take over servers and ultimately launch phishing and malware attacks against anyone who visited the compromised sites.

“For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period (“.”) to the end of a php file (php.),” Versafe CEO Eyal Gruner told SecurityWeek. “For sites powered by unsupported versions of Joomla (1.5.x) attackers don’t even need to have an account on the Joomla server to gain access.”

The attackers’ IP addresses are believed to originate in China, and the victimized sites are spread throughout the globe. Many of the compromised servers redirected users to a page serving the Blackhole exploit kit that infected them with a variant of Zbot.

The report from Versafe follows a report of separate attack campaign seen by Arbor Networks. In the case, researchers at Arbor Networks found that more than 6,000 sites powered by Joomla, WordPress and Datalife Engine had been targeted in brute force attacks launched by a botnet dubbed ‘Fort Disco.’

CMS systems are a good target because they are widely used, Gruner said. In addition, open source CMS systems in particular were not necessarily built with security in mind, he said.

“It is safe to assume that the compromised sites were not the intended targets, but used as a launchpad to launch attacks against banks,” he explained. “As far as how to protect against these attacks, since banks and other FI’s always tend to be targets, any critical data between end-users and their financial organization is encrypted/protected, and in general, organizations need  to adopt more proactive, “always on”  ways to secure against these and other types of zero-day attacks.”

“The attacks are still ongoing from many of the Joomla systems that had already been infiltrated,” he added. “Those that are now patched, and hadn’t been previously compromised, should be OK. All Joomla CMS users should upgrade to at least 2.5.x, if not the latest 3.1.x and be aware that these systems may have other yet-to-be-discovered vulnerabilities that might be quickly exploited.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.