Just 24 hours after the Joomla project released security update 3.6.4 which identified two critical security gaps, οι hackers είχαν ήδη αρχίσει να αναζητούν για unpatched systems and then began massive Internet scans.
The two security gaps are referred to as CVE-2016-8870 and CVE-2.016-8.869. The first allows attackers to create remote accounts on Joomla sites, while the second allows users to raise account privileges at manager level.
Η ομάδα του Joomla και ο Davide Tampellini, ο μηχανικός του Joomla που ανακάλυψε το τελευταίο ελάττωμα, αρνήθηκε να δημοσιεύσει οποιεσδήποτε τεχνικές λεπτομέρειες για το δεύτερο ελάττωμα. Πολλοί κακόβουλοι ερευνητές όμως με αντίστροφη engineering στην ενημέρωση 3.6.4, ξεχώρισαν τις τροποποιήσεις, και κατάφεραν να διακρίνουν τη μεθοδολογία του exploit. Έτσι δημιούργησαν πολυάριθμα weaponized exploits που κυκλοφόρησαν online.
Sucuri's security team, which carried out reverse engineering at 3.6.4, published a proof-of-concept PoC and added the exploit code to its web firewall.
So Sucuri gained the ability to detect hacking attempts for both of these security blanks. The company reported that about 24 hours after the release of 3.6.4 from Joomla saw three IP addresses from Romania hit some of Joomla's biggest sites around the world.
The attackers tried to exploit the two errors and create a user named "db_cfg" and password "fsugmze3 ″.
Twelve hours after that, the three IPs began mass scans on the internet, searching for every Joomla website.
Shortly afterwards, a second perpetrator using an IP from Latvia began his own mass scans, using random user account names with "ringcoslio1981@gmail.com" as the email address.
Watch these IPs
82.76.195.141
82.77.15.204
81.196.107.174
185.129.148.216
Sucuri recommends joomla webmasters to look for their IP addresses in their web site logs.
Attackers will generally try to access the following URL:
/index.php/component/users/?task=user.register
“We believe that any Joomla! that has not been informed is already in danger", says o Daniel Cid, Founder and CTO of Sucuri.
"Every Joomla site on our network has been hit (and blocked by Sucuri Firewall) and I guess it has happened on every site."
The same thing happened last year when the Jomula project repaired the zero-day CVE-2015-8562 in the 3.4.6 version, released in mid-December. By the end of the year, attackers were averaging about 16.600 scans a day, trying to exploit the flaw.
