RSAC 2019: Joomla! Flaw Exploited to Create Mass Phishing Infrastructure

joomla jmail vulnerability

The Jmail Breaker attack leverages an old vulnerability in Joomla! along with a newly found flaw in the mail module.

SECOND UPDATE

Editor’s Note: It has come to our attention that Check Point’s findings are being questioned by Joomla! and others in the open-source ecosystem. Our story accurately reflects Check Point’s report — but it’s clear that the news isn’t about Jmail or the vulnerability (which is at least three years old), but rather that an attacker has set up a mass phishing infrastructure using an old attack pattern and is carrying out a campaign. Threatpost has reached out to Check Point again to get details as to how prolific the attack is and who the targets are, etc. and will update the post accordingly. Joomla! meanwhile has issued a statement on what it says are inaccuracies on the technical side of Check Point’s report. That statement can be found here

SAN FRANCISCO — A fresh campaign from a known adversary is using a known flaw in the popular Joomla! CMS platform to carry out a large-scale phishing and spam operation, according to researchers.

According to Check Point Research, a cybercriminal known as Alarg53 is using Jmail for phishing and spam, and has even implemented a fully fledged backdoor infrastructure within the platform to carry out those first two activities at scale.

“Indeed, by implementing simple manipulations on the User‐Agent header on HTTP requests, one can manipulate the platform and override the existing Jmail service,” explained the researchers, in findings released at the RSA Conference 2019.

For its part, Joomla! initially gave Threatpost a short statement: “The Joomla Project takes security very seriously and closely cooperates with reports to fix reported issues as fast as possible. As Check Point however did not reach out to us upfront, like it’s best practice in the security industry, we can’t comment or fix an issue that has not been published yet.”

It now has issued a longer statement discounting the Jmail override statement by Check Point.

According to Check Point, the adversary first exploited a known object injection remote code-execution (RCE) flaw in Joomla! to inject code into the User‐Agent header field in HTTP requests.

“The attacker injects a base64 string in the User‐Agent field. The PHP code then downloads the files and stores them in a specific path,” Check Point noted. “Once decoded, it is transformed into PHP code that runs on the victim’s machine. The code tries to download specific files from Pastebin and stores them in a designated path.”

That path happens to be “./libraries/joomla/jmail.php; in the recent campaign, Check Point said, adding that it found that the HTML file stored there contains PHP code with two major sections that serve two functionalities – sending mail and uploading files.

“Once downloaded and stored, the file actually overrides the current Joomla Jmail service,” the researchers said (note– Joomla! discounts this, noting in its statement that the file “does not ‘override’ the core JMail class.”

Check Point continued, “From now on, this file is actually an infrastructure in which the attacker can upload files and send mail for his own purposes. Based on our threat actor’s activity on the web, it seems this infrastructure is being used for phishing and mail spamming.”

Check Point has dubbed the attack “Jmail Breaker,” and researchers said that they expect it to be used by other adversaries in other attacks.

“Using an old Joomla Object Injection vulnerability, the attacker has managed to create an interesting chain that eventually can be leveraged for monetization through a phishing and spamming infrastructure,” researchers noted. “We predict that we will soon see evidence of such spamming methodologies in the near future.”

The threat actor, Alarg53, is known for defacing websites by replacing their home pages with a “Hacked by Alarg53” message instead, according to Check Point. As such, he has primarily made his name as a hacktivist, hacking sites on the basis of ideology.

However, he gained notoriety in 2017 by hacking Stanford University servers via a WordPress vulnerability.

“At first, it was thought to be just another [defacement] attack, but within a few hours, two PHP files were uploaded to the relevant servers enabling them to send large amounts of spam mail,” Check Point researchers explained. “[From there], he started to monetize his activities through cryptomining attacks and [a] phishing infrastructure.”

His attacks have been global, affecting victims in France, India, Japan, Mexico, Portugal, the U.K. and the U.S.; industries affected include finance, banking and government, according to Check Point.

Now, using the Jmail Breaker approach, his game has changed to enable mass monetization campaigns, Check Point said.

“Whereas Alarg53 is a known hacker that has managed to hack more than 15,000+ sites, this time he has hit the big time as his attacks have evolved to include a significant and high‐scale backdoor and phishing infrastructure,” according to Check Point.

Threatpost received several comments on this posting from Joomla! (see comments section below) about the Jmail issue, disputing the veracity of Check Point’s findings. After reaching out to Check Point and speaking to the researchers, we have updated this post to make it clear that the attacker in the campaign has exploited a known bug, not a previously unknown issue in Jmail.

For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here

This post was updated on March 5 at 11:35 p.m. ET to include a comment from the Joomla! media team, and at 3:29 p.m. to reflect further input from Check Point. 

This post was additionally updated March 6 at 3:14 p.m. ET to reflect further input from Joomla!

This post was also updated March 7 at 4:13 p.m. to remove the word “Jmail” from the headline.

Suggested articles

Discussion

  • Rowan Hoskyns Abrahall on

    Hi, I'm sorry but the information included in this article relates to something patched 2-3 years ago and is inciting panic where none is required. This article is pure FUD (Fear Uncertainty and Doubt) and is discrediting the organisation I am president of without reason. Please delete this or at least rewrite it so that it provided truth. Thank you Rowan Hoskyns Abrahall President - The Joomla Project
    • Tara Seals on

      Hi Rowan, Please feel free to respond to the research findings - I actually emailed your media team a couple of days ago for comment and reaction on this story before the embargo lifted and was told that you didn't want to make a statement, but that the security team might want to say something. Didn't hear anything back. I've also reached out to Check Point to get a reaction to your reaction. Thanks, Tara UPDATE: I actually just checked my mail and received a short statement from the media team that I'll drop into the story now.
  • Anonymous on

    Furthermore the file you refer to in this post doesn't even exist.
    • Tara Seals on

      If you could elaborate, that would be helpful. To be clear, obviously we're reporting on Check Point's findings, these are not our own. And incidentally I reached out to Joomla for comment before the story went live and they didn't want to make a statement.
  • Anonymous on

    /libraries/joomla/jmail.php does not exist in a standard Joomla! Installation. There is no refernece to this file even going several versions back. There is not even a library reference to a function or module/class “jmail”. This content hasn’t any valid reference in it that would, in the slightest, be considered accurate or useful. Please check back with your sources and update the article.
    • Tara Seals on

      Thanks very much - I'll reach out and update the post accordingly.
    • Tara Seals on

      Check Point told me, "Regarding the comment below, we found the hacker is using this specific path during his attack and even provided a screenshot for it in our blog."
  • Rowan Hoskyns Abrahall on

    Checkpoint are wrong. We have issued a statement. Linked to in previous comment. I am also considering contacting our Lawyers as this level of FUD has no place in the Open Source Ecosystem. Rowan.
  • Rowan Hoskyns Abrahall on

    https://www.joomla.org/announcements/general-news/5762-a-statement-on-the-recent-report-by-check-point.html
    • Tara Seals on

      Thanks -- I'm going to update the story again.
  • brian teeman on

    Yes they are using the file in the screenshot -it is a file the hacker created. It would take a real security researcher 30 seconds to discover that.
  • Anonymous on

    This is just irresponsible journalism on both the part of Checkpoint and Threatpost. You people need to do better.
  • David Jardin on

    > but it’s clear that the news isn’t about Jmail The *headline* of the article is "RSAC 2019: Joomla! Mail Flaw Exploited to Create Mass Phishing Infrastructure" - how can a news with such headline not be about Jmail!? Seriously Tara, this is a ridiculous statement.
    • Tara Seals on

      Hi David -- it's been a saga. Check Point gave us the report under NDA, and I wrote it up -- but it has since come to light that Check Point's findings are flawed (they admitted to me that they made a mistake and that their report was improperly framed). So hence the editor's note and the updates and corrections.
  • Rowan Hoskyns Abrahall on

    Thank you for making inroads into doing the right thing here.
    • Tara Seals on

      Many apologies for the saga that this has been, Rowan.
  • Martijn Maandag on

    If I read your comments: Why don't you remove the whole story and write an apology?

Leave A Reply to Anonymous Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.