Updated! SiteLock has identified a new double threat malware called Tusayan that not only grants administrative privileges to the hacker, but also exposes the victim’s files publicly on the web.
The malware is operating in the wild and so far SiteLock has identified 1,200 websites impacted by these attacks have been cached by search engines which leads the company to believe about 5.000 websites overall have been affected, Logan Kipp, Product Evangelist at SiteLock told SC Media.
An attack starts off by injecting IndoXploit Shell, which is normally used to deface a website, but in this case the malware uses the shell kit to snatch the configuration files found in the content management system (CMS) under attack and saving them to a plain text file, SiteLock reported. So far, SiteLock has identified only older versions of WordPress, Joomla and Magento content management systems as being vulnerable and are exploiting known vulnerabilities.
“While these text files may seem innocuous, they contain sensitive credentials that a hacker could use to access CMS-connected databases on target hosting accounts,” Kipp said.
The malware not only enables an attacker to obtain administrative control of a computer, but it also makes the computer’s information publicly available on the web. The reason for this is oddly practical, from the cybercriminals point of view.
“Based on the information that we’ve gathered so far, this trend is not a part of a blackmail scheme, but rather a way for the hackers to conveniently retrieve the details themselves. In many cases we’ve seen that the directory has .htaccess-based protection in place to prevent the public from accessing the credentials, but also a large portion is completely unprotected and available to the public,” he said.
The code manages to stay hidden from many security programs, Kipp noted, suggesting cybersecurity teams manually add this piece of code to their security programs so it can identify an attack.
Because the malware only goes after known issues with these CMS programs Kipp said it is imperative that those using this software are up to date with their security patches.
“This should really drive home the importance of patching your CMS platform to website owners. Automated campaigns like these are run on an ongoing basis, which attack websites on an almost indiscriminate basis. The majority of web attacks aren’t targeting websites based on their content or popularity, but based on their use of vulnerable outdated software. These are the low-hanging fruit of the web, he said.
Update includes additional comment from Logan Kipp.