Just 24 hours after the release of security update 3.6.4 by the Joomla project that fixed two critical security holes, hackers had already started looking for unpatched systems and then started massive scans on Internet.
The two security gaps are referred to as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to create remote accounts on Joomla sites, while the second allows users to raise account privileges at manager level.
The Joomla team and Davide Tampellini, the Joomla engineer who discovered the last flaw, refused to publish any technical details about the second flaw. Many malicious researchers, however, with reverse engineering at 3.6.4, have distinguished the modifications, and have been able to distinguish the exploit methodology. So they created numerous weaponized exploits that were released online.
Sucuri's security team, which carried out reverse engineering at 3.6.4, published a proof-of-concept PoC and added the exploit code to its web firewall.
So Sucuri gained the ability to detect hacking attempts for both of these security holes. THE company reported that about 24 hours after Joomla released the 3.6.4 update they saw three IP addresses from Romania hitting some of the biggest Joomla sites around the world.
Οι επιτιθέμενοι προσπαθούσαν να κάνουν exploit τα δύο σφάλματα και να δημιουργήσουν ένα χρήστη με το όνομα “db_cfg” και code accesss the “fsugmze3″.
Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.
Shortly afterwards, a second perpetrator using an IP from Latvia began his own mass scans, using random user account names with "ringcoslio1981@gmail.com" as the email address.
Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216
Sucuri recommends joomla webmasters to look for their IP addresses in their web site logs.
Attackers will generally try to access the following URL:
/index.php/component/users/?task=user.register
“We believe that any Joomla website! that has not been updated is already in jeopardy, "said Daniel Cid, Founder and CTO of Sucuri.
"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."
The same thing happened last year when the Jomula project repaired the zero-day CVE-2015-8562 in the 3.4.6 version, released in mid-December. By the end of the year, attackers were averaging about 16.600 scans a day, trying to exploit the flaw.