Attackers using Joomla servers with a vulnerable Google Maps plugin installed are launching distributed denial of service (DDoS) attacks, using reflection techniques.
Reflection DDoS attacks each take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.
In this case, the company was able to identify more than 150,000 potential Joomla reflectors on the Internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in the DDoS attacks.
"Vulnerabilities in web applications hosted by software-as-a-service providers continue to provide ammunition for criminal entrepreneurs,” said Stuart Scholly, senior vice president and general manager for the Security Business Unit at Akamai, in the advisory. “Now they are preying on a vulnerable Joomla plugin for which they've invented a new DDoS attack and DDoS-for-hire tool.”
In this case, Akamai said that a known vulnerability in a Google Maps plugin for Joomla allows the plugin to act as a proxy, or an intermediary server that processes a request and returns the result on behalf of someone else. Attackers spoof (fake) the source of the requests, causing the results to be sent from the proxy to someone else —i.e., to their denial-of-service target. The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers.
“This is one more web application vulnerability in a sea of vulnerabilities —with no end in sight,” Scholly said. “Enterprises need to have a DDoS protection plan in place to mitigate denial-of-service traffic from the millions of cloud-based SaaS servers that can be used for DDoS."
With cooperation from PhishLabs' R.A.I.D, Akamai’s Prolexic Security Engineering & Research Team (PLXsert) matched DDoS signature traffic originating from multiple Joomla sites, which indicates vulnerable installations are being used en masse for reflected GET floods, a type of DDoS attack.
“Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire sites,” the firm reported.
PLXsert added that it mitigated a DDoS attack like this on behalf of an Akamai customer back in November, where the majority of the top attacking IP addresses originated from Germany. The same IP addresses that participated in this attack have participated in DDoS attacks against other Akamai customers in the industries of hosting, entertainment and consumer goods.
Refection-based DDoS attacks continue to gain in popularity. In the fourth quarter of 2014, Akamai's PLXsert count that 39% of all DDoS attack traffic employed reflection techniques.