Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities and more.
KashmirBlack is an active botnet which has spread across 30 countries, performing on average millions of attacks every day, and infecting popular Content Management Systems (CMS).
From 2019 until now
The botnet operation started in or around November 2019 and is still active today. Its complex operation is managed by a single C-C (Command and Control) server and uses more than 60 servers, mostly innocent surrogates as part of its infrastructure, Imperva states.
It handles hundreds of thousands of bots, each communicating with the C-C to receive new targets, perform brute force attacks, install backdoors and grow the botnet.
Imperva states KashmirBlack exploits the PHPUnit RCE vulnerability to infect its victim despite it being a known, patchable vulnerability that is almost a decade old.
The hacker is likely targeting CMS because they are notorious for poor cyber hygiene, as many people use old versions, unsupported plug-ins, and weak passwords, the company states.
According to the research, the COVID-19 pandemic has created even more opportunities for the botnet, as more businesses are in need of easy web frameworks, such as WordPress, to digitise their business operations.
The study also shows that KashmirBlack is much more sophisticated than the average botnet. It has a well-designed infrastructure that can expand and add new exploits or payloads without much effort.
It also uses sophisticated methods to camouflage itself, exploiting a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation.
The researchers also found evidence of popular software development frameworks and methodologies such as DevOps and Agile being used to help the botnet adapt and evolve to new payloads and instructions with ease, Imperva states.
The botnet's origin
Imperva also discovered clues about the botnet's origin. By tracing the hacker's signature, the team could identify Exect1337, a member of the Indonesian group PhantomGhost, an active hacking crew that typically focuses on defacement.
The hacker accidentally left another marker within their code, which gave the botnet its name KashmirBlack, Imperva states.
To gather this detailed information, the research team created a honeypot to attract the botnet. KashmirBlack infected the honeypot, transforming it into a spamming bot and effectively parachuting the researchers behind enemy lines, where they started to receive instructions directly from the C-C mothership.
As a result, researchers could see how the different entities that made up the botnet interacted with one another, exposing the inner workings in a way not seen before.
However, three days after the honeypot was infected, the botnet maintainer apparently grew suspicious and updated the reporting address, freezing the researchers out. This shows how quick and responsive the botnet is to outside threats, Imperva states.
Potential purposes for the botnet
The researchers uncovered three types of purposes for the botnet: crypto mining, spamming and defacement. However, this did appear to shift over time, with different payloads and instructions being delivered.
The ability to quickly shift and adjust also enables the botnet to change repositories such as GitHub, which it uses to store malicious code and script.
More recently, the botnet entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C-C. There is evidence that the Dropbox API is being used to fetch attack instructions and upload attack reports from spreading bots, according to the research.
Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C-C operation and making it difficult to trace the botnet back to the hacker behind the operation.
Commentary from the experts
Imperva security researcher Ofir Shaty, who co-authored the research, says, “This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity.
“The level of orchestration is remarkable. It's a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern."
"Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue," says Shaty.
Imperva security researcher Sarit Yerushalmi, another author of the report, says, “Understanding KashmirBlack required a delicate game of cat and mouse; looking behind the scenes to get inside the hackers mind, while trying to stay undetected by the powers operating it. This has given us a vital glimpse into the anatomy and operation of an active botnet in real-time.
"Discovering all the entities, layers and architecture behind the botnet and watching it evolve has made clear just how sophisticated these operations are becoming.
Key takeaways for businesses
Imperva head of threat research Nadav Avital commented on the key learnings from the research.
He says, “If you discover that you are in the botnet, then you must kill the malicious processes and remove the malicious files and jobs.
"You will then need to investigate whether the infection has spread and compromised any other data or systems. But prevention is always better than cure.
"Organisations need to practice good cyber hygiene by removing unused plugins and themes; ensuring the CMS core files and third-party modules are always up-to-date and properly configured; denying access to sensitive files and paths, such as install.php, wp-config.php, and eval-stdin.php.
"It's also critical that servers are updated with strong and unique passwords as this is the first defence against brute force attacks. Finally, deploying a web application firewall (WAF) can help ensure your site is protected.