In infosec, unseen vulnerabilities such as an outdated CMS can cause you to go from the G.O.A.T. one day to the goat the next. Bear with me...
Vulnerabilities related to outdated versions of the Joomla! CMS have recently taken a heavy toll on websites around the world. A quick search for Joomla! on exploit-db.com returns 1,222 entries, many of which are related directly to version 1.5, and range from cross-site scripting issues to SQL injections to token issues that allow an attacker to change the admin password remotely.
I got curious about what I might find if I searched RiskIQ data for sites running this particularly vulnerable CMS. I began by running a query for every injection we detected for the last week, then pulling out the unique domains which totaled 562. I then checked those domains against our PassiveTotal data to see what components the web pages were running. It turns out, 73 (13 percent) of the compromised sites were running Joomla! 1.5.
One of these sites was suffering from a nasty case of Pseudo Darkleech, while the rest had been compromised and injected with Indyiframe, a malicious redirector we have observed pushing traffic to multiple exploit kits. This redirector is frequently seen distributing traffic from compromised Joomla! based websites and other researchers have reported cases of traffic originating from WordPress. Attackers have been observed using Indyiframe to push traffic to the RIG and Neutrino exploit kits, and distributing several malware families such as Cerber and CryptoBit ransomware and the Gootkit trojan.
However, out of all the compromised Joomla! sites, my favorite is "regionkozla[dot]pl." "Kozla" translates to "goat" and is also the word for a variety of bagpipes made out of an entire goat body. "Region Kozla" translates to "goat region," a part of Poland where, ostensibly, they play these caprine instruments:
Below, PassiveTotal confirms regionkozla[dot]pl is running this outdated version of Joomla!:
I got curious about how many other sites are running Joomla! 1.5 and how many of those we detected as compromised. PassiveTotal reports 1,356,318 total records of sites that run this vulnerable CMS.
I pulled out 2,000 of these domains and ran a query against RiskIQ data to see how many had malicious injections. Out of this dataset, we detected injections on 17 distinct domains, or about 0.85 percent of the total. If this sample is representative of the total number of Joomla! 1.5 sites we’ve collected, it would suggest that around 11,000 could be compromised and injected with scripts leading to malicious content.
Below is a shot of the script with which our goat-loving friends (among others) have been injected and which has been observed leading to multiple exploit kits.
Know your Digital Footprint, Find your CMS Vulnerabilities
Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at you. After all, following an attack or breach, saying “we didn’t know that asset existed,” doesn’t mitigate the damage done.
Once you have an accurate picture of your digital footprint, including CMS vulnerabilities like Joomla! 1.5, it is far easier to understand and implement mitigation techniques to ensure that all of your external assets are protected. This inventory of your assets is also critical for compliance with numerous industry regulations.
Get your organization’s Digital Footprint in RiskIQ Community Edition. Sign up for free today.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...