Apache and Joomla exploits are only the latest examples of the growing bullseye.
In a pattern that has played out repeatedly over the past year or two, researchers in the past two days have reported a string of ongoing attacks that take control of Web servers by exploiting critical vulnerabilities in Apache software, Joomla, and other applications used to deliver content and programs online.
The vulnerabilities in both the Apache Struts framework and the Joomla content management systemhave been fixed recently, but attackers continue to exploit the flaws on servers that have yet to install the updates, according to research published in the past two days. The attacks can have severe consequences for the websites that use the older versions, since the exploits make it possible to execute malicious code that can pilfer confidential customer data, mount malware attacks on visitors, and install applications that give attackers persistent backdoor access to some of a server’s most sensitive resources.
One recent avenue for gaining backdoor access is an automated tool that exploits recently patched versions of Struts, an Apache framework for developing Java applications. The hacking tool, which researchers discovered three days after Apache’s July 16 security advisory was issued, takes away much of the difficulty of manually injecting commands needed to extract sensitive information from vulnerable servers.
“The hacking tool contains a ‘WebShell’ feature, which allows the attacker to easily plant a backdoor and a Web shell onto the target,” Noriaki Hayashi, a senior threat researcher at Trend Micro, wrote in a blog post published Wednesday. “These Web shells make issuing commands to the backdoor much easier, as it can be done directly from a browser window.”
Websites that run vulnerable versions of Joomla, meanwhile, are being commandeered in a similar way, according to a report published Tuesday by researchers from security firm Versafe. In an e-mail sent to Ars, company officials said they discovered the flaws are being exploited to host malware and phishing attacks on outdated sites. The ongoing campaign was actively targeting people in Europe, the Middle East, and Africa.
“The series of attacks exploiting this vulnerability were particularly aggressive and widespread—involved in over 50 percent of the attacks targeting our clients and others in EMEA—and ultimately successful in infecting a great many unsuspecting visitors to genuine websites,” Versafe CEO Eyal Gruner wrote.
Stop us if you’ve heard this before
The attacks reported by Trend Micro and Versafe are part of a pattern that’s emerged over the past few years. With the increasing use of Apache, Joomla, Plesk, and a handful of other apps used to run or administer Web servers, hackers have vastly improved their ability to penetrate them. And since websites are trusted and visited by large numbers of end users, there’s often a high return on such server compromises. Attackers can now wield super botnets that wage ever more powerful denial-of-service assaults and malware infection platforms composed of tens of thousands of individual sites.
In some respects, Web server applications are to 2013 what Windows XP was to 2005—complex and full-featured enough that critical vulnerabilities are plentiful and in such wide use that some percentage of its user base is sure to make crucial mistakes. Fortunately, Microsoft’s secure development lifecycle program has gone a long way to resolving the Windows security crisis that once endangered large swaths of the Internet. It’s not clear how the current campaign against Web servers will play out, but it wouldn’t be surprising if it got worse before it got better.
© 2013, hackshark.com. All rights reserved.