Rise in Joomla Website Attacks due to Hackers Reverse Engineering Patches
A pair of recently recognised critical vulnerabilities to the Joomla content management system are presently being utilised by hackers in a series of attacks on Joomla websites. Although the two vulnerabilities were not thought to have been exploited when first discovered, that quickly proved to be untrue.
In the aftermath of release of any Joomla patch, hackers usually act quickly in order to take advantage. Ordinarily, attacks on unpatched sites begin only hours after the release of the patch. Hackers reverse-engineered the patches so as to discover how they could attack unpatched websites. In less than 24 hours following the release of the patches, hackers had worked out how to compromise the websites concerned. After 36 hours, mass exploit efforts were identified. According to security firm Sucuri, just under 28,000 attacks had been attempted before one week had passed.
The Joomla vulnerabilities are favoured by hackers. Joomla is currently the world’s 2nd most popular website creation platform following WordPress. Unlike WordPress however, Joomla is more commonly used by companies which wish to create complex internal and public-facing websites, rather than bloggers and non-commercial websites. Joomla website attacks are therefore more common.
The number of attacks is so great that Sucuri’s CTO Daniel Cid fears any Joomla website that has not been patched may already likely have been compromised. To protect sites against these attacks it is essential that all Joomla administrators update their CMS to Joomla 3.6.4.
Moreover, administrators should also verify if their sites have already been compromised. The vulnerabilities may be taken advantage of to allow attackers to open new user accounts with elevated privileges. The weaknesses can permit attackers to create new user accounts even in circumstances where user account registration has in fact already been disabled. Therefore administrators are advised to take a look to see if any new accounts have been created on their sites. Site access logs should also be checked for any signs of compromise.