by | 10 Nov 2020

5 things to know about KashmirBlack, the CMS-hacking botnet

Covid-19 is not the only infection that has spread like wildfire this year. Since late 2019, a computer virus has also been thriving, attacking vulnerable CMS and compromising tens of thousands of websites all over the world. Its goal is to form a ‘zombie network’ that can be used to distribute malware and illegally mine cryptocurrency. CyberProtection 360° boasts defence mechanisms especially designed to protect SMEs’ websites and e-commerce servers.

1. What is a botnet?

A botnet is to cybersecurity what zombies are to horror films. With the only difference being that botnets actually exist! A portmanteau of the words ‘robot’ and ‘network’, a botnet is a network of infected computers controlled remotely by a C&C server to carry out large-scale cyber attacks. They can be used to perform denial of service attacks, spam campaigns, data theft or spread a variety of malicious programs. In the case of KashmirBlack, the aim is to pool together the computing power of several computers for the purposes of cryptojacking.


OZON protection cybersécurité pour CMS


The targets: WordPress, Joomla and Drupal, as well as PrestaShop, Magento and osCommerce

2. Who’s behind this cyber attack?

Imperva, a California-based firm specialising in cybersecurity, investigated KashmirBlack and followed the trail back to a known Indonesian hacker who goes by the name of Exect1337. He belongs to PhantomGhost, an organisation that is flourishing in a country home to the majority of the world’s cybercriminals. The botnet is said to be managed by a Command and Control (C&C) server and over sixty surrogate servers. It may even have been migrated to Dropbox to hide its operations and continue to spread under the radar.

3. Which CMS does KashmirBlack target?

According to the experts at Imperva, KashmirBlack preys on known security vulnerabilities in the market’s common CMS platforms. Last month, they identified sixteen flaws used by KashmirBlack, and no CMS appears to be spared. Whether it the most popular platforms (WordPress, Joomla, Drupal) or those designed for e-commerce (PrestaShop, Magento, osCommerce), it shows no mercy. Besides the well-known PHPUnit RCE (CVE-2017-9841) vulnerability, the cyber attacks also specifically target flaws in CMS plugins and themes. As early as March, Clubic reported a wave of hacks targeting WordPress. The market leader was the focus of 90% of CMS hacks in 2018 according to Sucuri, another American cybersecurity specialist.

4. What are the consequences for infected sites?

KashmirBlack carries out three types of computer attack:

  • Malicious redirection of the infected website’s traffic towards spam pages designed to steal users’ private data;
  • Illegal cryptomining (cryptojacking), i.e. the non-authorised use of compromised server resources to create Monero cryptocurrency;
  • Defacement of websites, for example to show politically hostile messages to France with regard to international tensions over Islamist terrorism.

Is your website or e-commerce site running slowly? You have perhaps been infected

5. How can you protect yourself against KashmirBlack?

Most of the time, zombie networks infect their victims on the sly, meaning owners of the corrupt websites and servers don’t even realise what has happened. The only indication may be a slow server. The best way to avoid unwillingly joining the ranks of a botnet army is to apply the security patches released by platforms as soon as possible. This means updating your CMS in real time to minimise exposure. But that won’t stop zero-day attacks, which target vulnerabilities yet to be identified by publishers.

A solution like CyberProtection 360° is capable of preventing the KasmirBlack botnet from exploiting CMS’ security flaws. To make this possible, OZON has developed ‘virtual web patching’, which helps avoid CMS vulnerabilities being exploited even when security patches haven’t been applied. To find out how vulnerable your website or online store is in just three minutes, use our online CyberCheck PME diagnosis tool.