An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting “dozens of known vulnerabilities” to target widely-used content management systems (CMS).
The “KashmirBlack” campaign, which is believed to have started around November 2019, aims for popular CMS platforms such as WordPress, Joomla!, PrestaShop, Magneto, Drupal, Vbulletin, OsCommerence, OpenCart, and Yeager.
“Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation,” Imperva researchers said in a two-part analysis.
The cybersecurity firm’s six-month-long investigation into the botnet reveals a complex operation managed by one command-and-control (C2) server and more than 60 surrogate servers that communicate with the bots to send new targets, allowing it to expand the size of the botnet via brute force attacks and installation of backdoors.
The primary purpose of KashmirBlack is to abuse resources of compromised systems for Monero cryptocurrency mining and redirect a website’s legitimate traffic to spam pages. But it has also been leveraged to carry out defacement attacks.
images from Hacker News