Researchers spotted attackers exploiting the latest Joomla vulnerability to install backdoors and then patching it to prevent others attackers from gaining access.
To make matters worse, any website that didn't apply the patch has likely been hacked as less than 24 hours after Joomla disclosed the release of patches for a high security privilege elevation vulnerability and an account creation vulnerability, Sucuri researchers spotted threat actors looking to test and verify if the vulnerability was present in the wild, according to an Oct. 28 blog post.
Fidelis Cybersecurity threat systems manager John Bambenek compared the attacks to Microsoft patches that were used by adversaries to gain “the very clues needed to weaponize” flaws. “In the end, unlike end user workstations, website operators really do have a responsibility if they are running services -- especially for other users -- to make sure their installations are up-to-date.”
Sucuri Researcher Daniel Cid noted that the first attacks started around 1 p.m. UTC on Oct. 26 and with attackers targeting popular Joomla sites with most of the attackers looking for the user.register tasks and trying to create users.
A few hours later, researchers began spotting mass exploits with all of the exploits attempting to create a username called “db_cfg” with the password “fsugmze3”, all going to the same URL and carrying the same malicious payload.
“The initial campaign targeting this vulnerability came from multiple Romanian IP addresses, so we can guess it is coming from there,” Cid told SCMagazine.com via emailed comments. “We can't pinpoint any specific group yet, but we are watching to see if we can find any correlation with other known groups we monitor.”
He said the researchers found it interesting that after the compromise, the hackers were hiding multiple PHP backdoors within the site and then patching the Joomla vulnerability for the victims, presumably to prevent other people from hacking the same site.
Cid recommended that every Joomla webmaster to update their sites as soon as possible and check for signs of compromise.