Security researchers have discovered thousands of backdoored plugins
and themes for the popular content management systems (CMS) that could
be used by attackers to compromise web servers on a large scale.
The Netherlands-based security firm Fox-IT has published a whitepaper revealing a new Backdoor named “CryptoPHP.” Security researchers have uncovered malicious plugins and themes for WordPress, Joomla and Drupal.However there is a slight relief for Drupal users that only themes are found to be infected from this backdoor. These backdoored plugins and themes are used to compromise web servers.
According to the report, the site administrators are often lured to download pirated themes and plugins without paying for them. This way the bad actors are social engineering a site admin into installation of the included backdoor on their server.The backdoor is designed to control with various options such as command and control server communication, mail communication and manual control.
A majority of the C&C servers used by the threat are located in the Netherlands (40%), Germany (40%), and the United States (18%).
The Netherlands-based security firm Fox-IT has published a whitepaper revealing a new Backdoor named “CryptoPHP.” Security researchers have uncovered malicious plugins and themes for WordPress, Joomla and Drupal.However there is a slight relief for Drupal users that only themes are found to be infected from this backdoor. These backdoored plugins and themes are used to compromise web servers.
According to the report, the site administrators are often lured to download pirated themes and plugins without paying for them. This way the bad actors are social engineering a site admin into installation of the included backdoor on their server.The backdoor is designed to control with various options such as command and control server communication, mail communication and manual control.
“By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server,” Fox-IT said in its analysis on the attack.Other capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- An extensive infrastructure in terms of C2 domains and IP’s
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the list of C2 servers
- Ability to update itself
A majority of the C&C servers used by the threat are located in the Netherlands (40%), Germany (40%), and the United States (18%).
0 comments:
Post a Comment