Security experts spotted a new botnet, tracked as KashmirBlack botnet, that likely infected hundreds of thousands of websites since November 2019.

Security experts from Imperva have spotted a new sophisticated botnet, tracked as KashmirBlack is believed to have already infected hundreds of thousands of websites by exploiting vulnerabilities in their content management system (CMS) platforms.

The KashmirBlack botnet has been active at least since November 2019, operators leverages dozens of known vulnerabilities in the target servers.

Experts believe that the botmaster of the KashmirBlack botnet is a hacker that goes online with moniker “Exect1337,” who is a member of the Indonesian hacker crew ‘PhantomGhost’.

The experts observed millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

“It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.” reads the first part of two reports published by the experts detailing the DevOps implementation behind the botnet.

The primary purpose of the KashmirBlack botnet is to abuse resources of compromised systems for cryptocurrency mining and redirecting a site’s legitimate traffic to spam pages.

Experts observed a continuous growth of the botnet since its discovery along with an increasing level of complexity.

In May experts observed an increase in the command-and-control (C&C) infrastructure and the exploits used by botnet operators.

KashmirBlack scans the internet for sites using vulnerable CMS versions and attempting to exploit known vulnerabilities to them and take over the underlying server.

Below a list of vulnerabilities exploited by the botnet operators to compromise websites running multiple CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager:

PHPUnit Remote Code Execution – CVE-2017-9841jQuery file upload vulnerability – CVE-2018-9206ELFinder Command Injection – CVE-2019-9194Joomla! remote file upload vulnerabilityMagento Local File Inclusion – CVE-2015-2067Magento Webforms Upload VulnerabilityCMS Plupload Arbitrary File UploadYeager CMS vulnerability – CVE-2015-7571Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms hereWordPress TimThumb RFI Vulnerability – CVE-2011-4106Uploadify RCE vulnerabilityvBulletin Widget RCE – CVE-2019-16759WordPress install.php RCEWordPress xmlrpc.php Login Brute-Force attackWordPress multiple Plugins RCE (see full list here)WordPress multiple Themes RCE (see full list here)Webdav file upload vulnerability“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva concludes.

The second part of the report also includes Indicators of Compromise (IoCs) for this botnet.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, KashmirBlack botnet)

The post KashmirBlack, a new botnet in the threat landscape that rapidly grows appeared first on Security Affairs.