Imperva security researchers tracked down and analyzed a highly sophisticated botnet that they believe is responsible for infecting hundreds of thousands of websites by attacking their content management system (CMS) platforms. The botnet, called KashmirBlack, has been running since November of last year, and while it started small, it has now grown into a sophisticated operation capable of attacking thousands of sites every day. In their two-part blog series titled "CrimeOps of the KashmirBlack Botnet," Imperva researchers explained that the botnet's main goal is to infect websites in order to use their servers to mine cryptocurrency. Redirect legitimate web traffic to spam pages and show web defections. KashmirBlack operators are targeting vulnerabilities that are known to take over sites running a wide variety of popular CMS platforms, including WordPress, Joomla!, PrestaShop, Magento, Drupal, vBullentin, osCommerce, OpenCart, and Yeager.
Cashmere
Ofir Shaty and Sarit Yerushalmi of Imperva provided additional information on KashmirBlack's abilities in a blog post, saying: “The KashmirBlack botnet mainly infects popular CMS platforms. It uses dozens of known vulnerabilities on its victims' servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world. It has a complex operation managed by a C&C (Command and Control) server and uses more than 60 mostly innocent surrogate servers as part of its infrastructure. Manage hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet. " To expand the size of its botnet, KashmirBlack searches the Internet for sites with outdated software. When it finds one, its operators use exploits for the vulnerabilities that are known to infect both the vulnerable site and its underlying server. Since its inception in November Last year, the botnet has abused 16 vulnerabilities in Joomla!, Magento, Yeager, WordPress, vBulletin and other CMS software according to Imperva.However, the security company's researchers believe a hacker, using the Exect1337 descriptor and is A member of the Indonesian hacker group PhantomGhost, he is the person behind KashmirBlack.Via ZDNet