A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS) platforms.
Named KashmirBlack, the botnet started operating in November 2019.
Security researchers from Imperva —who analyzed the botnet last week in a two–part series— said the botnet’s primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site’s legitimate traffic to spam pages, and to a lesser degree, showing web defacements.
Imperva said the botnet started out small, but after months of constant growth, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day.
The biggest changes occurred in May this year when the botnet increased both its command-and-control (C&C) infrastructure, but also its exploit arsenal.
Nowadays, KashmirBlack is “managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” Imperva said.
“[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”
KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server.
Some of the hacked servers are then used for spam or crypto-mining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has seen the botnet abuse 16 vulnerabilities:
- PHPUnit Remote Code Execution – CVE-2017-9841
- jQuery file upload vulnerability – CVE-2018-9206
- ELFinder Command Injection – CVE-2019-9194
- Joomla! remote file upload vulnerability
- Magento Local File Inclusion – CVE-2015-2067
- Magento Webforms Upload Vulnerability
- CMS Plupload Arbitrary File Upload
- Yeager CMS vulnerability – CVE-2015-7571
- Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms here
- WordPress TimThumb RFI Vulnerability – CVE-2011-4106
- Uploadify RCE vulnerability
- vBulletin Widget RCE – CVE-2019-16759
- WordPress install.php RCE
- WordPress xmlrpc.php Login Brute-Force attack
- WordPress multiple Plugins RCE (see full list here)
- WordPress multiple Themes RCE (see full list here)
- Webdav file upload vulnerability
Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries.
“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva researchers said on Friday.
Based on multiple clues it found, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.