As soon as 24 hours after the release of the 3.6.4 security update from the Joomla project that identified two critical security flaws, hackers had already begun to look for unpatched systems and then massive scans on the Internet began.
The two vulnerabilities are listed as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to remotely create accounts on websites Joomla, while the second allows the elevation of account privileges to administrator level.
Η ομάδα του Joomla και ο Davide Tampellini, ο μηχανικός του Joomla που ανακάλυψε το τελευταίο ελάττωμα, αρνήθηκε να δημοσιεύσει οποιεσδήποτε τεχνικές λεπτομέρειες για το δεύτερο ελάττωμα. Πολλοί κακόβουλοι ερευνητές όμως με αντίστροφη μηχανική στην ενημέρωση 3.6.4, ξεχώρισαν τις τροποποιήσεις, και κατάφεραν να διακρίνουν τη μεθοδολογία του exploit. Έτσι δημιούργησαν πολυάριθμα weaponized exploits released online.
The Sucuri security team, which reverse-engineered the 3.6.4 update, published a PoC on the website (proof-of-concept) και πρόσθεσε τον κώδικα του exploit στο web firewall her.
So Sucuri gained the ability to detect hacking attempts for both of these security blanks. The company reported that about 24 hours after the release of 3.6.4 from Joomla saw three IP addresses from Romania hit some of Joomla's biggest sites around the world.
Attackers were trying to exploit both errors και να δημιουργήσουν ένα χρήστη με το όνομα “db_cfg” και κωδικό access το ”fsugmze3 ″.
Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.
Soon after, a second attacker using an IP from Latvia started his own mass scans, using random user account names with “ringcoslio1981@gmail.com” as an email address. post officeU.
Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216
Sucuri recommends joomla webmasters to look for their IP addresses in their web site logs.
Attackers will generally try to access the following URL:
/index.php/component/users/?task=user.register
“We believe that any Joomla website! that has not been updated is already in jeopardy, "said Daniel Cid, Founder and CTO of Sucuri.
"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."
Το ίδιο ακριβώς συνέβη και πέρυσι, όταν το project Jοomla επιδιόρθωσε το zero-day CVE-2015-8562 in version 3.4.6, which was released in mid-December. By the end of the year, attackers were performing an average of about 16.600 scans per day trying to exploit the flaw.