Exactly 3 days ago, the Joomla team issued a patch for a high-severity vulnerability that allows remote users to create accounts and increase their privileges on any Joomla site. Both issues combined give the attackers enough power to easily upload backdoor files and get complete control of the vulnerable site.
A few hours after the patch was released, we were able to reverse-engineer it. We created an internal-only tool that allowed us to exploit the vulnerability and upload a backdoor. Marc explained the technical details in yesterday’s post. His research allowed us to understand how attackers could potentially abuse the vulnerability and what we would need to do to update the virtual patching rules in our cloud Firewall to keep our customers protected.
However, we were not the only ones performing this research. Less than 24 hrs after the initial disclosure, we started to see tests and small pings on some of our honeypots trying to verify if this vulnerability was present.
In less than 36 hrs after the initial disclosure, we started to see mass exploit attempts across the web. In fact, because of the sharp increase, it’s our belief that any Joomla! site that has not been updated is most likely already compromised.
Phase 1: Initial Pokes
The first attacks started at around 1pm UTC on the 26th, less than 24 hrs after the initial disclosure by the Joomla team. Most of them were looking for the user.register tasks and trying to create users. They were especially targeting some of the most popular Joomla sites.
This is how the payload would look in your web logs:
POST /index.php?option=com_users&task=user.register HTTP/1.1"
Phase 2: First Mass Exploits
A few hours later, at around 8pm UTC, a couple of IPs from Romania started a mass attack against thousands of different Joomla sites. In all of them, they tried to create a username called db_cfg with the password fsugmze3. They were going to the same URL with a payload that looks like:
220.127.116.11 - - [26/Oct/2016:18:09:24 -0400] "POST /index.php/component/users/?task=user.register user[name] = db_cfg user[username] = db_cfg user[password1] = fsugmze3 user[password2] = fsugmze3
If your site was not updated in time, look for the db_cfg username on your site as you are likely to have been hacked already. You can also look for these 3 IP addresses in your log:
18.104.22.168 22.214.171.124 126.96.36.199
They were the ones doing this initial mass exploitation campaign. Shortly after, another IP address from Latvia started a similar mass exploit campaign trying to register random usernames and passwords on thousands of Joomla sites. The only similar pattern for this Latvia IP address was the email: firstname.lastname@example.org.
So we have another IP to look for in your logs:
Both campaigns kept running strong through the 26th and 27th attempting to compromise every Joomla site we were watching, including our Honeypots.
Phase 3: Public Knowledge
After these initial mass exploits, multiple researchers and security professionals started to share different exploits for this attack. Some of them are even automating the upload of backdoors and using some unique techniques to bypass the media uploader (using .pht files).
That led to a massive increase in IP addresses trying to exploit this vulnerability using different patterns and techniques.
This is the graph of exploit attempts against this vulnerability since the disclosure:
… And that’s just based on the number of sites for which we have visibility.
Likely Already Compromised
If you have not updated your Joomla site yet, you are likely already compromised. Every Joomla site on our network was hit (and blocked by the Sucuri Firewall) and I assume pretty much every site out there suffered the same way.
I still recommend updating your site ASAP and checking for any new users in your dashboard. Also look for the provided IP addresses in your logs, along with the task=user.register pattern. If you find yourself in a situation where you have been compromised we have a new guide on how to clean a hacked Joomla site that you can follow. If you are unable to do it yourself we can help with the incident response.