An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting an old vulnerability to target widely-used content management systems (CMS).
Dubbed KashmirBlack, this sophisticated botnet has a well-designed infrastructure made up of a single command and control (C&C) server, and more than 60 surrogate servers.
The botnet exploits the PHPUnit remote code execution vulnerability, a well-known flaw that’s almost a decade old, that's present in a number of older CMS platforms. These kinds of platforms are notorious for their poor cyber hygiene, mainly because many users deploy legacy versions, use unsupported plugins, and often set weak passwords, according to researchers with Imperva.
This particular flaw is known and entirely patchable, however, the botnet has managed to capitalise on a sudden surge in the number of companies that have been disrupted by the coronavirus pandemic, which now require easy to use web frameworks to help move their business online. This includes well-known platforms like WordPress, the researchers claim.
The team have published technical details around KashmirBlack following a six-month undercover investigation, monitoring its evolution over time and the nature of its underlying infrastructure.
The operation, which began around November 2019, is now made up of hundreds of thousands of bots organised in a highly sophisticated architecture, making millions of attacks each day. The researchers claim its architecture “works like magic”, with attackers able to expand and add new exploits or payloads without much effort at all.
KashmirBlack also uses sophisticated methods to camouflage itself, as well as exploiting a number of vulnerabilities to maintain uptime and protect its operation. Imperva also uncovered evidence of widely-used software development frameworks and methodologies, including DevOps and Agile, that the hackers are deploying to help the botnet evolve and add new targets with ease.
“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said security researcher at Imperva, Ofir Shaty, who co-authored the research.
“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”
The botnet itself appears to specialise in cryptocurrency mining, spamming, and defacement, although priorities have shifted over time. This capacity to shift focus also allows the botnet to change which repositories it may use to store malicious code and scripts deployed.
Researchers believe the KashmirBlack botnet recently evolved to use the popular cloud-based service Dropbox to replace its C&C server. They found evidence that the Dropbox API is being used to fetch attack instructions and upload reports from ‘spreading bots’.
Moving to this type of system also allows the botnet to hide criminal activity behind legitimate web services, working to camouflage the botnet traffic and secure the operation.
Based on a hacking signature, Imperva has identified the hacker known as 'Exect1337' as being part of the crew running the botnet. This individual is a member of the Indonesian group PhantomGhost, which normally focuses on defacement. This individual also accidentally left a marker within the botnet code, which gave rise to the name KashmirBlack.
