Joomla Patches Zero Day Targeting EMEA Banks

Content management system Joomla patched a zero-day vulnerability that allowed attackers to upload malicious code that led victims to the Blackhole exploit kit.

Attackers have been abusing websites for months that are hosted on Joomla, WordPress and other content management platforms. One gaping vulnerability can open the door for a cybercrime group, for example, to build a formidable botnet, or lure victims to malware that can cash out a bank account or steal legitimate credentials.

A nasty Joomla vulnerability was recently patched, but not before attackers used a zero day exploit to take over tens of thousands of sites and redirect victims to the Blackhole exploit kit, according to security company Versafe. Most of the attacks were against financial institutions in Europe, the Middle East and Asia and stemmed from an initial attack against 100 Joomla-hosted websites.

Joomla vulnerabilities have been a particular problem; 57 percent of the attacks Versafe has seen this year have come from sites hosted on the platform, up from 41 percent last year.

Joomla’s patch, released Aug. 1, fixes a flaw in versions 2.5.x and 3.x. An attacker with access to the media manager on the platform’s console could upload malware or any other malicious code by adding a period to the end of a php file, Versafe said. Users are urged to upgrade to version 2.5.14 or 3.1.5 immediately. Versafe also notes that sites on older versions of Joomla such as 1.5.x that are no longer supported, attackers do not need an account on the server to upload code.

“What brought this vulnerability to our attention was that we noticed a sharp increase in the number of phishing and malware attacks being hosted from legitimate Joomla-based sites,” said Eyal Gruner, CEO of Versafe in a statement. “The series of attacks exploiting this vulnerability were particularly aggressive and widespread — involved in over 50% of the attacks targeting our clients and others in EMEA — and ultimately successful in infecting a great many unsuspecting visitors to genuine websites.”

Once an attacker compromises a Joomla web server, Versafe observed phishing sites being used to steal credit card numbers or harvest credentials, as well as victims lured to sites hosting Blackhole. Once there, they are infected with the Zeus Trojan, which harvests financial logins that can lead to wiped out bank accounts and additional malware infections.

Versafe said the attackers were using IP addresses based in China and launching the same exploit against their targets.

Just last week, Joomla sites—along with WordPress and Datalife Engine—were compromised and recruited into the Fort Disco botnet. Made up of 25,000 Windows machines, Fort Disco is similar to Brobot which was used in distributed denial of service attacks against U.S. financial institutions late last year. The new campaign is a large-scale brute force attack where the compromised machines receive a list of common usernames and password combinations, usually default or weak passwords, to try to compromise victims. Once in, the botmaster can send in additional payloads that can lead victims to the Styx exploit kit in some cases, or the bots could be harvested and used in a future DDoS attack.

A similar brute-force campaign was discovered in April, this one built with sites hosted on WordPress; attacks were discovered targeting administrative credentials with default or weak passwords. Web host HostGator reported 90,000 IP addresses involved in this particular attack.

Suggested articles