Security News > 2020 > October > KashmirBlack Botnet Hijacks Thousands of Sites Running On Popular CMS Platforms

KashmirBlack Botnet Hijacks Thousands of Sites Running On Popular CMS Platforms
2020-10-29 03:02

An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting "Dozens of known vulnerabilities" to target widely-used content management systems.

The cybersecurity firm's six-month-long investigation into the botnet reveals a complex operation managed by one command-and-control server and more than 60 surrogate servers that communicate with the bots to send new targets, allowing it to expand the size of the botnet via brute force attacks and installation of backdoors.

The bots themselves are either designated as a 'spreading bot,' a victim server that communicates with the C2 to receive commands to infect new victims, or a 'pending bot,' a newly compromised victim whose purpose in the botnet is yet to be defined.

While CVE-2017-9841 is used to turn a victim into a spreading bot, successful exploitation of 15 different flaws in CMS systems leads to a victim site becoming a new pending bot in the botnet.

"It is yet another step towards camouflaging the botnet traffic, securing the C&C operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/gZvmE5Caz6g/kashmirblack-botnet-hijacks-thousands.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2017-06-27 CVE-2017-9841 Code Injection vulnerability in multiple products
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
network
low complexity
phpunit-project oracle CWE-94
critical
9.8