Hackers could be exploiting two flaws in popular open source CMS Joomla that allows remote users to create accounts and increase their privileges on any Joomla site.
According to Daniel Cid, founder and CTO at Sucuri, there are two vulnerabilities that would enable attackers enough power to easily upload backdoor files and get complete control of the vulnerable site.
The flaws, CVE-2016-8870 and CVE-2016-8869, enable malicious actors to create accounts and gain higher privileges. The former flaw mean that Joomla had inadequate checks that meant users could register on a site when registration has been disabled. The latter flaw enables attackers to misuse unfiltered data to register on a site with elevated privileges.
Cid said that despite patches being rushed out to fix the issue, he started to see mass exploit attempts across the web.
“In fact, because of the sharp increase, it's our belief that any Joomla! site that has not been updated is most likely already compromised,” he said in a blog post.
He said the first attacks started at around 1pm UTC on the 26th, less than 24 hrs after the initial disclosure by the Joomla team. “Most of them were looking for the user.register tasks and trying to create users. They were especially targeting some of the most popular Joomla sites,” said Cid.
A few hours later a couple of IPs from Romania started a mass attack against thousands of different Joomla sites. In all of them, they tried to create a username called db_cfg with the password fsugmze3.
Cid recommended updating websites as soon as possible.
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Magazine that if an organisation hasn't patched and has been infected, the first thing is to take the website offline and isolate the web server, so the attackers cannot come back during the investigation.
“The next step is to check all files and databases on the server for integrity in order to understand what, when and how it was compromised. In case of an advanced compromise (e.g. attackers managed to get local root on the server), more complicated forensics will be required to investigate OS/kernel compromise,” he said. “Once done, a recovery from a backup or server re-installation will be required.”
The final step is to patch all the vulnerabilities that were exploited by the attackers and make sure that all other patches and security updates on the server and web application are properly applied, according to Kolochenko.
Chris Copper, security team leader at SureCloud, told SC Magazine that outcome of these particular flaws doesn't necessarily suggest that Joomla is any more susceptible than other popular content management systems (CMSs).
“There is currently no real evidence to suggest that this issue was exploited prior to the patch being released, and Joomla issued a pre-release notice to encourage administrators to patch as soon as the update was available. The crux of the issue here is that the patch was able to be reversed quickly, partially due to the use of an interpreted language, which is typical of other popular CMSs such as Wordpress and Drupal,” he said.