Open SourceSecuritySoftwareWorkspace

Simple Joomla Hacks ‘Hit Thousands Of Websites’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Thousands of sites compromised to serve up the Blackhole exploit kit, Verasafe says, as Joomla users urged to update

Yet another CMS has taken a battering by cyber attackers, as a simple Joomla vulnerability was exploited to infect thousands of websites with malware.

The sites were hacked to serve up the prevalent Blackhole exploit kit, which in turn infected users’ systems with banking Trojans.

Basic Joomla flaw

Keyboard Illustration "Cyber Attack" © Ben Chams - FotoliaThe vulnerability was uncovered after Versafe investigated a spike of Joomla compromises its clients saw in the first-half of 2013, which strongly suggested a fresh flaw in the CMS platform was being “more readily exploited”.

It found, for the 2.5.x and 3.x versions of Joomla, anyone with access to the media manager on the CMS could upload and execute arbitrary code just by adding a full stop (“.”) to the end of a php file.  For sites running unsupported versions of Joomla 1.5.x, attackers don’t even need access to an account on the Joomla server to gain access.

“They could simply go to a Joomla site, and upload the shell and malicious files without permissions access of any kind to the admin,” VP of business development at Versafe, Jens Hinrichsen, told TechWeekEurope.

“Attackers were running automated scripts to register an additional user on thousands of existing, exploitable sites running on 1.5.x.

“Since no permissions were required to instantiate a profile (on a pre-existing site), the attackers were uploading the PHP shell and malicious code as their avatar/profile picture, for instance.

“For newer versions, 2.5.x and 3.2.x, attackers needed to obtain just low-level media manager rights in order to exploit the same flaw (via brute force, spear phishing, etc).”

Joomla patched the flaw over a month after being notified. Users have been urged to update their Joomla platforms.

But many will have already gone on infected sites and had the Blackhole exploit kit search for ways to infect their machines with malware, the security company said.

“The attackers were able to gain rapid access to thousands of vulnerable sites, enabling hosting of the Blackhole drive-by malware payload that infected users, as well as use the compromised systems to host phishing attacks,” Hinrichsen added. “Truly a multi-stage, multi-pronged attack.”

Verasafe’s investigation led it to believe a single hacker based in China was exploiting the flaw at scale, but could not offer more details on the attacker.

“The series of attacks exploiting this vulnerability were particularly aggressive and widespread – involved in over 50 percent of the attacks targeting our clients and others in EMEA – and ultimately successful in infecting a great many unsuspecting visitors to genuine websites,” added Eyal Gruner, CEO of Versafe.

Hackers are upping their attacks against CMS systems. Earlier this month, Arbor Networks reported on the 25,000 machine-strong Fort Disco botnet, which was being used to brute force Joomla and WordPress CMSs.

Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla were being used as part of a spamming botnet called StealRat.

UPDATE: According to one of our readers, the vulnerability affecting Joomla 1.5 is not as serious as Versafe made out. Users can only upload a shell if the site admin has granted additional permissions. See below for the post from Elin.

What do you know about Internet security? Find out with our quiz!