Your Website May be at Risk from KashmirBlack Botnet!

Both Hacker News and ZDNet have reported sightings of the infamous KashmirBlack botnet that is attacking and hijacking hundreds of thousands of CMS websites.

The Platforms Under Siege

If your website is built on one of the popular CMS systems like WordPress, Joomla, Drupal, Magneto, PrestaShop, Vbulletin, Yeager, OpenCart, or OsCommerce, you may be at risk.

The botnet named KashmirBlack has exploited “dozens of known vulnerabilities” within these CMS platforms and targets websites in more than 30 countries. 

What is KashmirBlack Botnet?

The malicious botnet appeared sometime in November 2019 and is well-designed and efficient, using sophisticated methods to camouflage itself and continue operations undetected. 

Imperva researchers released a two-part analysis on this threat based on a six-month evaluation. What they found is that it is comprised of a main command-and-control (C2) server and 60+ surrogate servers that send messages back to the main server, bringing in new targets and expanding the already massive network of malicious computers.

The botnet makes use of the PHPUnit RCE vulnerability (CVE-2017-9841) to gain access and infect websites with malicious payloads. One such attack was traced back to an Indonesian hacker group named PhantomGhost.

In the study, Imperva notes that the motive appears to be infecting CMS systems to use as cryptocurrency mining. It also defaces some websites and redirects some pages to spam websites. 

Initially, KashmirBlack started out very small but has grown rapidly into a monster, attacking thousands of websites a day. The control computer works by deploying and managing hundreds of bots that target new victims, perform brute force attacks, install backdoors, and then communicate back to the server. Imperva commented in their brief that “During our research, we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.”

It works because of older websites that have not been updated and use outdated, vulnerable code that it can exploit. The infected website/server then becomes part of the network, expanding the server’s reach and turns it into a spreading bot. 

ZDNet listed 16 of those vulnerabilities:

• “PHPUnit Remote Code Execution – CVE-2017-9841.
• jQuery file upload vulnerability – CVE-2018-9206.
• ELFinder Command Injection – CVE-2019-9194.
• Joomla! remote file upload vulnerability.
• Magento Local File Inclusion – CVE-2015-2067.
• Magento - Webforms Upload Vulnerability.
• CMS Plupload - Arbitrary File Upload. 
• Yeager CMS vulnerability – CVE-2015-7571.
• Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms.
• WordPress TimThumb RFI Vulnerability – CVE-2011-4106.
• Uploadify RCE vulnerability.
• vBulletin Widget RCE– CVE-2019-16759.
• WordPress install.php - RCE.
• WordPress xmlrpc.php Login - Brute-Force attack. 
• WordPress multiple Plugins RCE.
• WordPress multiple Themes RCE.
• Webdav - file upload vulnerability.”

Not all of the attacks targeted core systems but plugins, libraries, and add-ons that contained vulnerabilities. 

Those responsible for the botnet have altered its infrastructure to make it more efficient. Hacker News explains it as, “But just as the botnet grew in size and more bots began fetching payloads from the repositories, the infrastructure was tweaked to make it more scalable by adding a load balancer entity that returns the address of one of the redundant repositories that were newly setup.”

Additionally, threat researchers found that KashmirBlack used Dropbox as part of its infrastructure instead of the C2 server. Imperva said, “Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C&C operation, and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.”