Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Massive hacking campaign on Joomla sites via recently patched flaws

Experts from the firm Sucuri observed a spike in the number of attacks in less than 24 hours after Joomla released patches for two critical flaws. On October 25, Joomla released the version 3.6.4 to fix two high severity vulnerabilities, CVE-2016-8870, and CVE-2016-8869. The first flaw, tracked as CVE-2016-8870, could be exploited by attackers to create user accounts even if […]

Massive hacking campaign on Joomla sites via recently patched flaws

Experts from the firm Sucuri observed a spike in the number of attacks in less than 24 hours after Joomla released patches for two critical flaws.

On October 25, Joomla released the version 3.6.4 to fix two high severity vulnerabilities, CVE-2016-8870, and CVE-2016-8869.

The first flaw, tracked as CVE-2016-8870, could be exploited by attackers to create user accounts even if account registration is disabled, while the second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.

A combination of these flaws can be exploited to upload a backdoor and gain complete control of vulnerable Joomla websites.

Every time a flaw is public disclosed it is a race between website administrators and hackers that scan the web for vulnerable Joomla versions.

It is quite easy to locate vulnerable versions exposed online, for this reason, experts from security firm Sucuri monitored the attacks attempts on the vulnerable Joomla version in the wild.

Data collected by Sucuri are eloquent, the number of attacks drastically increased shortly after the patches were released by Joomla. The experts observed several attacks launched within 24 hours against some of the most popular Joomla websites.

The researchers discovered a first mass hacking campaign originated from three IP addresses in Romania, the hackers attempted to create an account with the username “db_cfg” and the password “fsugmze3” on thousands of Joomla sites. Below the three IPaddresses used by the attackers.

82.76.195.141
82.77.15.204
81.196.107.174

Sucuri also detected another IP address from Latvia used to attack the Joomla websites.

“They were the ones doing this initial mass exploitation campaign. Shortly after, another IP address from Latvia started a similar mass exploit campaign trying to register random usernames and passwords on thousands of Joomla sites.” reads the analysis published by Sucuri.

Obviously, the number of attacks increased in a significant way after the experts started sharing exploits.

“After these initial mass exploits, multiple researchers and security professionals started to share different exploits for this attack. Some of them are even automating the upload of backdoors and using some unique techniques to bypass the media uploader (using .pht files).” continues Sucuriti.

“That led to a massive increase in IP addresses trying to exploit this vulnerability using different patterns and techniques.”

joomla exploits attacks

On October 28,the number of infections peaked 27,751, of course, the figure is likely to be greater.

It is important to apply the updates to Joomla websites to secure them, administrators urge to check their logs for activity from the IP addresses shared by the experts at Sucuri. Be careful to the creation of suspicious admin accounts.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CMS, hacking)