An overwhelming number of websites were found compromised by a sophisticated botnet called KashmirBlack that attacked through vulnerable content management system (CMS) platforms.
The botnet, which made good use of agile development, was released in 2019 and has since been using infected website servers for mining, spamming, and showing web defacements. From a small, almost harmless bot, KashmirBlack is now an agile software capable of attacking thousands of websites across 30 countries each day.
Hackers behind the bot
Cybersecurity leader Imperva Research Labs published its findings after an intensive investigation on KashmirBlack spanning six months. During their half-year journey, the team identified hacker Exect1337 who may be the brain behind the bot.
By tracing the signature, Imperva also found Indonesian group PhantomGhost involved, a team that focuses on defacement. It was the hacker’s marker on another code that the researchers derived the name KashmirBlack from.
The investigation process was nothing short of tedious. Imperva’s first step was to attract the botnet through a honeypot. As expected, their puppet was attached and transformed into a spambot. Soon enough, the team started to receive instructions directly from a single Command and Control (C&C) server.
When the research went according to plan, the Imperva team immediately identified the inner workings from the KashmirBlack bot to the honeypot. They dissected the ways the bots interacted, further strengthening their findings on the botnet.
Three days later, the hackers grew suspicious. The Imperva team was soon locked out – proof of how responsive and alert the team behind the agile software bot is.
Complex operations starting from 2019
From its investigation, Imperva determined that the botnet operation through agile methodology started around November 2019 with more than 60 servers working as part of its infrastructure. The team believes that the C&C sends instructions on new targets and brute force attacks to over thousands of botnets.
When it comes to more in-depth ways of operating, Imperva believes that KashmirBlack takes advantage of the decade-old patchable vulnerability PHPUnit RCE to attack its victims. Such is further proof that the hackers behind it are targeting CMS platforms, although this claim is just a theory at the moment. The hackers seem to be targeting CMS for its weak password, unsupported plugins, and outdated versions (otherwise called “poor cyber hygiene”).
The study further shows that KashmirBlack is more than just a spambot. The hackers built it with a sophisticated infrastructure that allows it to expand and exploit with little to no effort. In addition, the botnet does a tremendous job at camouflaging itself to protect its presence and operation.
In fact, Imperva even identified traces of development frameworks such as DevOps and Agile in the botnet. The hackers seem to have been using these methodologies to adapt KashmirBlack and help it evolve to understand new commands from the control center quickly. It likewise can change repositories for storing malicious documents.
The purpose behind the botnet
All this work couldn’t have gone for nothing. It’s evident that the team behind KashmirBlack had its purpose for building and protecting the bot through agile development. Imperva looked at the possible purposes and found three: crypto mining, spamming, and defacement. However, they noticed that these were not fixed or absolute. The objectives seem to shift over time as well.
Just recently, botnet went all-digital by transferring to cloud-based service Dropbox, abandoning the old control center C&C. Imperva found evidence of Dropbox API when KashmirBlack fetched instructions or sent reports on new bots.
The change of platform goes beyond only making their operations more digital. KashmirBlack now has the ability to hide illegitimate activity behind legitimate web services, further strengthening its camouflaging capabilities and secured operations. As a result, it will be harder for future researchers to get as close to the hackers as Imperva did.
What experts have to say
The Imperva team had their thoughts and comments on the agile methodologies used by the KashmirBlack hackers. Security researcher Sarit Yerushalmi, a co-author of the report, says, “Understanding KashmirBlack required a delicate game of cat and mouse; looking behind the scenes to get inside the hackers mind, while trying to stay undetected by the powers operating it. This has given us a vital glimpse into the anatomy and operation of an active botnet in real-time.
“Discovering all the entities, layers and architecture behind the botnet and watching it evolve has made clear just how sophisticated these operations are becoming.”
Further, Ofir Shaty, another author who worked alongside Yerushalmi, says that this study is the first time the team saw botnet operations first-hand. Indeed, the results were no less than helpful for the industry in understanding how hacker groups work and continue activities despite strong privacy and protection protocols. He shares, “the level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern.”
“Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue,” says Shaty.
Head of threat research Nadav Avital had his learnings from the extended research, including the importance of strong passwords in defending against brute force attacks. He further stressed how crucial it is to deploy web application firewalls (WAF) to protect websites against unwanted bots like KashmirBlack. Although it may be considered as small steps, all of these precautions add up to enforce stronger protection against malware.
Avital also gave his advice on security to companies with online platforms. According to him, it’s always crucial to practice good cyber hygiene. Simple steps like removing plugins, updating core files and modules, and denying access to sensitive files will give organizations a security barrier against these hackers.
“If you discover that you are in the botnet, then you must kill the malicious processes and remove the malicious files and jobs. You will then need to investigate whether the infection has spread and compromised any other data or systems. But prevention is always better than cure.”