Security researchers from Imperva have tracked and analyzed a highly sophisticated botnet which they believe to be responsible for infecting hundreds of thousands of websites by attacking their content management system (CMS) platforms.
The botnet, named KashmirBlack, has been in operation since November of last year and while it started out small, it has now evolved into a sophisticated operation capable of attacking thousands of sites each day.
In its two part blog series titled “CrimeOps of the KashmirBlack Botnet”, Imperva’s researchers explained that the botnet’s main purpose is to infect websites in order to use their servers to mine cryptocurrency, redirect legitimate web traffic to spam pages and show web defacements.
The operators of KashmirBlack target known vulnerabilities to take over sites running a wide variety of popular CMS platforms including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart and Yeager.
Imperva’s Ofir Shaty and Sarit Yerushalmi provided further insight on KashmirBlack’s capabilities in a blog post, saying:
“The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world. It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”
In order to expand the size of its botnet, KashmirBlack scans the internet searching for sites with outdated software. When it finds one, its operators use exploits for known vulnerabilities to infect both the vulnerable site and its underlying server.
Since its creation in November of last year, the botnet has abused 16 vulnerabilities in Joomla!, Magento, Yeager, WordPress, vBulletin and other CMS software according to Imperva. However, the security firm’s researchers believe a hacker, who goes by the handle Exect1337 and is a member of the Indonesian hacking group PhantomGhost, is the person behind KashmirBlack.