Massive hacking campaign on Joomla sites via recently patched flaws

Experts from the firm Sucuri observed a spike in the number of attacks in less than 24 hours after Joomla released patches for two critical flaws.

On October 25, Joomla released the version 3.6.4 to fix two high severity vulnerabilities, CVE-2016-8870, and CVE-2016-8869.

The first flaw, tracked as CVE-2016-8870, could be exploited by attackers to create user accounts even if account registration is disabled, while the second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.

A combination of these flaws can be exploited to upload a backdoor and gain complete control of vulnerable Joomla websites.

Every time a flaw is public disclosed it is a race between website administrators and hackers that scan the web for vulnerable Joomla versions.

It is quite easy to locate vulnerable versions exposed online, for this reason, experts from security firm Sucuri monitored the attacks attempts on the vulnerable Joomla version in the wild.

Data collected by Sucuri are eloquent, the number of attacks drastically increased shortly after the patches were released by Joomla. The experts observed several attacks launched within 24 hours against some of the most popular Joomla websites.

The researchers discovered a first mass hacking campaign originated from three IP addresses in Romania, the hackers attempted to create an account with the username “db_cfg” and the password “fsugmze3” on thousands of Joomla sites. Below the three IPaddresses used by the attackers.

82.76.195.141
82.77.15.204
81.196.107.174

Sucuri also detected another IP address from Latvia used to attack the Joomla websites.

“They were the ones doing this initial mass exploitation campaign. Shortly after, another IP address from Latvia started a similar mass exploit campaign trying to register random usernames and passwords on thousands of Joomla sites.” reads the analysis published by Sucuri.

Obviously, the number of attacks increased in a significant way after the experts started sharing exploits.

“After these initial mass exploits, multiple researchers and security professionals started to share different exploits for this attack. Some of them are even automating the upload of backdoors and using some unique techniques to bypass the media uploader (using .pht files).” continues Sucuriti.

“That led to a massive increase in IP addresses trying to exploit this vulnerability using different patterns and techniques.”

On October 28,the number of infections peaked 27,751, of course, the figure is likely to be greater.

It is important to apply the updates to Joomla websites to secure them, administrators urge to check their logs for activity from the IP addresses shared by the experts at Sucuri. Be careful to the creation of suspicious admin accounts.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CMS, hacking)