Researchers Uncover 89 Zero-Days in CMS Platforms
Security researchers are warning users of popular content management system (CMS) platforms that they could be exposed to a range of cyber-threats, after uncovering 89 zero-day vulnerabilities.
A team at Comparitech decided to investigate a recent surge in web defacement attacks which appears to have bucked the long-term trend of a decline in such activity.
Monthly attacks soared from around 300,000 in July 2019 to nearly 700,000 in May 2020. Comparitech privacy advocate Paul Bischoff claimed the rise may be due to hackers staving off boredom while in lockdown.
As part of its investigation, the team uncovered 89 zero-day vulnerabilities in platforms such as WordPress, Joomla, Drupal and Opencart — and their plugins.
It claimed that as many as 100,000 websites are currently running plugins vulnerable to exploitation of these bugs, and that the vast majority of which were on WordPress (78,430) and Joomla (16,360).
“Researchers analyzed the source code of five popular mass-hacking bots, each of which can take advantage of 40 to 80 exploits,” Bischoff continued. “Arbitrary file upload vulnerabilities are the most common, which allow attackers to upload shell scripts onto web servers. Those shell scripts can then be used to remotely execute code and deface the site.”
However, web defacement represents a relatively minor impact compared to the potential damage such attacks could cause.
“Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware or launch a number of other attacks on the site and its visitors,” Bischoff warned.
Comparitech also found that a relatively small number of the exploits it analyzed appear in vulnerability databases: just 124 out of a total of 280. This makes it less likely that security teams and vendors will have documented and built-in protections against them.
Scanning for specific plugins, databases and other elements known to be vulnerable is relatively straightforward via specially crafted searches known as “dorks,” explained Bischoff. Alternatively, IP scanning bots or IoT search engines like Shodan.io, Censys and BinaryEdge can be used. Off-the-shelf hacking tools have also lowered the barrier to entry significantly over recent years, he concluded.