The sites were hacked to serve up the prevalent Blackhole exploit kit, which in turn infected users’ systems with banking Trojans.
The vulnerability was uncovered after Versafe investigated a spike of Joomla compromises its clients saw in the first-half of 2013, which strongly suggested a fresh flaw in the CMS platform was being “more readily exploited”.
It found, for the 2.5.x and 3.x versions of Joomla, anyone with access to the media manager on the CMS could upload and execute arbitrary code just by adding a full stop (“.”) to the end of a php file. For sites running unsupported versions of Joomla 1.5.x, attackers don’t even need access to an account on the Joomla server to gain access.
“They could simply go to a Joomla site, and upload the shell and malicious files without permissions access of any kind to the admin,” VP of business development at Versafe, Jens Hinrichsen, told TechWeekEurope.
“Attackers were running automated scripts to register an additional user on thousands of existing, exploitable sites running on 1.5.x.
Since no permissions were required to instantiate a profile (on a pre-existing site), the attackers were uploading the PHP shell and malicious code as their avatar/profile picture, for instance.
“For newer versions, 2.5.x and 3.2.x, attackers needed to obtain just low-level media manager rights in order to exploit the same flaw (via brute force, spear phishing, etc).”
Joomla patched the flaw over a month after being notified. Users have been urged to update their Joomla platforms.
But many will have already gone on infected sites and had the Blackhole exploit kit search for ways to infect their machines with malware, the security company said.
“The attackers were able to gain rapid access to thousands of vulnerable sites, enabling hosting of the Blackhole drive-by malware payload that infected users, as well as use the compromised systems to host phishing attacks,” Hinrichsen added. “Truly a multi-stage, multi-pronged attack.”
Verasafe’s investigation led it to believe a single hacker based in China was exploiting the flaw at scale, but could not offer more details on the attacker.
“The series of attacks exploiting this vulnerability were particularly aggressive and widespread – involved in over 50 percent of the attacks targeting our clients and others in EMEA – and ultimately successful in infecting a great many unsuspecting visitors to genuine websites,” added Eyal Gruner, CEO of Versafe.
Hackers are upping their attacks against CMS systems. Earlier this month, Arbor Networks reported on the 25,000 machine-strong Fort Disco botnet, which was being used to brute force Joomla and WordPress CMSs.
Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla were being used as part of a spamming botnet called StealRat.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.