Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.
The vulnerability, identified as CVE-2015-8562, was patched in mid-December with the release of Joomla 3.4.6 and hotfixes for versions 1.5 and 2.5. The first attempts to exploit the flaw, which affects installations running Joomla 1.5.0 through 3.4.5, were spotted two days before the developers of the popular content management system (CMS) released patches.
Symantec has been monitoring attack attempts and detected, on average, 16,000 daily hits since the vulnerability was disclosed.
Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of-service (DDoS) attacks. Some of the compromised machines can also host valuable information.
Symantec reported seeing infected servers being used to redirect victims to exploit kits, and possibly for hosting malware.
The Joomla vulnerability targeted by attackers is caused by the lack of proper filtering when saving browser session values into the database. Sucuri has published a blog post detailing the flaw and how it can be exploited.
According to researchers, malicious actors have been trying to determine which servers are vulnerable by sending out HTTP requests and analyzing responses when functions such as phpinfo() and eval(chr()) are executed.
Once a vulnerable server is identified, the attackers install a backdoor that allows them to execute commands, upload and download files, and modify the websites hosted on the server.
Administrators can check their web access logs for suspicious requests, and if malicious requests were sent before the Joomla installation was patched, it should be assumed that the system has been breached.
In mid-November, Symantec reported that malicious actors had sent out thousands of requests each day in an effort to find vBulletin servers plagued by a vulnerability patched on November 2.
The security company noted that the methods used by attackers to find vulnerable vBulletin installations are similar to the ones leveraged now against Joomla servers.
UPDATE. Joomla developers said the root cause of the vulnerability is a PHP bug patched in September. Joomla 3.4.7 has been released to address this critical issue along with a low level flaw, and to harden the MySQLi driver to help prevent object injection attacks.
“The only Joomla sites affected by [the vulnerability exploited in the wild] are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions,” Joomla developers said.
