SECOND UPDATE
Editor’s Note: It has come to our attention that Check Point’s findings are being questioned by Joomla! and others in the open-source ecosystem. Our story accurately reflects Check Point’s report — but it’s clear that the news isn’t about Jmail or the vulnerability (which is at least three years old), but rather that an attacker has set up a mass phishing infrastructure using an old attack pattern and is carrying out a campaign. Threatpost has reached out to Check Point again to get details as to how prolific the attack is and who the targets are, etc. and will update the post accordingly. Joomla! meanwhile has issued a statement on what it says are inaccuracies on the technical side of Check Point’s report. That statement can be found here.
SAN FRANCISCO — A fresh campaign from a known adversary is using a known flaw in the popular Joomla! CMS platform to carry out a large-scale phishing and spam operation, according to researchers.
According to Check Point Research, a cybercriminal known as Alarg53 is using Jmail for phishing and spam, and has even implemented a fully fledged backdoor infrastructure within the platform to carry out those first two activities at scale.
“Indeed, by implementing simple manipulations on the User‐Agent header on HTTP requests, one can manipulate the platform and override the existing Jmail service,” explained the researchers, in findings released at the RSA Conference 2019.
For its part, Joomla! initially gave Threatpost a short statement: “The Joomla Project takes security very seriously and closely cooperates with reports to fix reported issues as fast as possible. As Check Point however did not reach out to us upfront, like it’s best practice in the security industry, we can’t comment or fix an issue that has not been published yet.”
It now has issued a longer statement discounting the Jmail override statement by Check Point.
‘Jmail Breaker’ Attack Flow
According to Check Point, the adversary first exploited a known object injection remote code-execution (RCE) flaw in Joomla! to inject code into the User‐Agent header field in HTTP requests.
“The attacker injects a base64 string in the User‐Agent field. The PHP code then downloads the files and stores them in a specific path,” Check Point noted. “Once decoded, it is transformed into PHP code that runs on the victim’s machine. The code tries to download specific files from Pastebin and stores them in a designated path.”
That path happens to be “./libraries/joomla/jmail.php; in the recent campaign, Check Point said, adding that it found that the HTML file stored there contains PHP code with two major sections that serve two functionalities – sending mail and uploading files.
“Once downloaded and stored, the file actually overrides the current Joomla Jmail service,” the researchers said (note– Joomla! discounts this, noting in its statement that the file “does not ‘override’ the core JMail class.”
Check Point continued, “From now on, this file is actually an infrastructure in which the attacker can upload files and send mail for his own purposes. Based on our threat actor’s activity on the web, it seems this infrastructure is being used for phishing and mail spamming.”
Check Point has dubbed the attack “Jmail Breaker,” and researchers said that they expect it to be used by other adversaries in other attacks.
“Using an old Joomla Object Injection vulnerability, the attacker has managed to create an interesting chain that eventually can be leveraged for monetization through a phishing and spamming infrastructure,” researchers noted. “We predict that we will soon see evidence of such spamming methodologies in the near future.”
The Adversary
The threat actor, Alarg53, is known for defacing websites by replacing their home pages with a “Hacked by Alarg53” message instead, according to Check Point. As such, he has primarily made his name as a hacktivist, hacking sites on the basis of ideology.
However, he gained notoriety in 2017 by hacking Stanford University servers via a WordPress vulnerability.
“At first, it was thought to be just another [defacement] attack, but within a few hours, two PHP files were uploaded to the relevant servers enabling them to send large amounts of spam mail,” Check Point researchers explained. “[From there], he started to monetize his activities through cryptomining attacks and [a] phishing infrastructure.”
His attacks have been global, affecting victims in France, India, Japan, Mexico, Portugal, the U.K. and the U.S.; industries affected include finance, banking and government, according to Check Point.
Now, using the Jmail Breaker approach, his game has changed to enable mass monetization campaigns, Check Point said.
“Whereas Alarg53 is a known hacker that has managed to hack more than 15,000+ sites, this time he has hit the big time as his attacks have evolved to include a significant and high‐scale backdoor and phishing infrastructure,” according to Check Point.
Threatpost received several comments on this posting from Joomla! (see comments section below) about the Jmail issue, disputing the veracity of Check Point’s findings. After reaching out to Check Point and speaking to the researchers, we have updated this post to make it clear that the attacker in the campaign has exploited a known bug, not a previously unknown issue in Jmail.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.
This post was updated on March 5 at 11:35 p.m. ET to include a comment from the Joomla! media team, and at 3:29 p.m. to reflect further input from Check Point.
This post was additionally updated March 6 at 3:14 p.m. ET to reflect further input from Joomla!
This post was also updated March 7 at 4:13 p.m. to remove the word “Jmail” from the headline.