A forensic investigation of the exposed sites by researchers at the Versafe Security Operations Center found that the exploit allows attackers to gain full control over the compromised systems with a variant of Zbot. While the Versafe Security Operations Center had noticed an increasing percentage of phishing and malware attacks against its clients being hosted from legitimate Joomla-based sites since 2009, the spike in the first-half of 2013 strongly suggested a particular vulnerability in the Joomla platform was being more readily exploited by attackers.
"What brought this vulnerability to our attention was that we noticed a sharp increase in the number of phishing and malware attacks being hosted from legitimate Joomla-based sites," said Eyal Gruner, CEO of Versafe, in a statement. "The series of attacks exploiting this vulnerability were particularly aggressive and widespread – involved in over 50% of the attacks targeting our clients and others in EMEA – and ultimately successful in infecting a great many unsuspecting visitors to genuine websites.”
The malware payload carries out information harvesting from compromised users, including login credentials, additional authentication information and so on, with the end goal of cashing out from compromised accounts.
During communication with the hosting providers, Versafe began to investigate the logs from several of the compromised servers and found that all attacks originated from the same Chinese source, using the same exploit. And, the attackers’ shell was found on the same relative path on each of the compromised servers.
The takeover shell and malicious content upload was automated. Given the compressed timeframe of the attack, Versafe surmised the attackers were using a new zero-day exploit.
Several of the compromised servers redirected users to a Blackhole landing page, thereby infecting them with a Zbot variant.
"There's no silver bullet for security, so F5 recommends a defense-in-depth approach," said Mark Vondemkamp, vice president of security product management and marketing at F5, a Versafe partner.
Fortunately, after Versafe gave details of the vulnerability to the Joomla Security Strike Team, a patch was released for versions 2.5.x and 3.1.x of the platform, as well as a community-developed fix for 1.5.x.