KashmirBlack Botnet Uses DevOps to Stay Agile
Security researchers have lifted the lid on a highly sophisticated global botnet operation performing millions of attacks per day, including cryptocurrency mining, spamming and defacements.
Dubbed “KashmirBlack” by a team at Imperva, hundreds of thousands of compromised machines are controlled by a single command and control (C&C) server.
Active since around November 2019, it spreads by targeting an almost decade-old PHPUnit RCE vulnerability in popular content management system (CMS) software. Imperva warned that the pandemic has arguably created more potential victims for the botnet, given that many businesses have been scrambling to create an online presence via such platforms.
The botnet’s infrastructure is apparently more sophisticated than most, using DevOps techniques to drive agility and ensure new payloads and exploits can be added fairly easily.
This agility also means the botnet can rapidly change the repositories such as GitHub where it stores malicious code, as well as its C&C infrastructure, which Imperva claimed recently migrated to Dropbox to hide its tracks.
In a sign of how alert the botherders are to potential outside disruption, Imperva claimed that they blocked access to its honeypot servers in just three days after growing suspicious.
Indonesian web defacement cybercrime group PhantomGhost has been linked to the botnet, the security vendor claimed.
“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said Ofir Shaty, Imperva security researcher and research co-author.
“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”