Enlarge / Here's the control panel hackers can access by exploiting a just-patched Joomla vulnerability. (credit: Spiderlabs)

Millions of websites used in e-commerce and other sensitive industries are vulnerable to remote take-over hacks made possible by a critical vulnerability that has affected the Joomla content management system for almost two years.

The SQL-injection vulnerability was patched by Joomla on Thursday with the release of version 3.4.5. The vulnerability, which allows attackers to execute malicious code on servers running Joomla, was first introduced in version 3.2 released in early November 2013. Joomla is used by an estimated 2.8 million websites.

"Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable," Asaf Orpani, a researcher inside Trustwave's Spiderlabs, wrote in a blog post. The vulnerability, and two closely related security flaws, have been cataloged as CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.

Read 4 remaining paragraphs | Comments



In early September 2015, we started seeing reports about arrests tied to Dridex malware [1, 2]. About that time, we noticed a lack of botnet-based malicious spam (malspam) pushing Dridex malware. During the month of September, Dridex disappeared from our radar. By the beginning of October 2015, malspam pushing Dridex came back [3], and its continued since then.

From what I can tell, Dridex was gone about a month, for most of September 2015.

Even though Dridex came back, organizations have still been discussing the previous takedown. The most recent wave of reporting happened in mid-October after the US Justice Department (DoJ) published a news release discussing the August 2015 takedown [4]. The DoJ release on Dridex (also known as Bugat or Cridex) reported the botnet administrator had been arrested back in August, and the botnets operations were substantially disrupted. That was old news, but it spread anew as other organizations passed on the information [5, 6, 7, to name a few]. Some of those reports warned that botnets are rarely disrupted for long, and thats certainly been the case with Dridex.


When did the outage start? When did it stop? The Dridex botnet administrator was arrested on 2015-08-28 [4], and Palo Alto Networks reported Dridex was back by 2015-10-01 [3]. That represents an outage of approximately one month. Let" />
Shown above: Searching for #Dridex on Virus Total.

This morning (Friday 2015-10-23) when I searched VirusTotal for #Dridex, I found more than 80 comments posted by at least a dozen individuals after the 2015-08-28 arrest. These #Dridex comments covered 28 Word documents, 4 Excel spreadsheets, and 37 Win32 EXE files." />
Shown above: Examples of the #Dridex comments.

I compiled a spreadsheet of the data. Its saved as a .csv file available here. In it, youll find an absence of #Dridex-tagged submissions after 2015-09-02. #Dridex-tagged submissions resumed on 2015-10-01." />
Shown above: Spreadsheet indicates a gap in #Dridex-tagged malware.

The hashtag is a quick way to find files that people have specifically identified as Dridex. Some of the files may have been mistakenly identified, so theres room for error. However, this preliminary analysis backs up what Palo Alto reported [3], and plenty of us are seeing Dridex malspam on a near-daily basis now.

Final words

Dell SecureWorks has a good description of the architecture behindDridex [7]. More recent write-up about Dridex malspam are available from sites like Dynamoos Blog [8] and Techhelplist.com [9]." />
Shown above: Example of Twitter commentary on the recent Dridex takedown (link).

In the past few days, weve received samples of malspam attachments submitted by our readers. Some of these submissions have been malicious Word documents associated with Dridex. As always, handlers at the ISC continue to monitor the cyber landscape, and well keep you up-to-date on any recent trends.

Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] http://krebsonsecurity.com/2015/09/arrests-tied-to-citadel-dridex-malware/
[2] https://threatpost.com/alleged-gozi-co-author-pleads-guilty-as-alleged-citadel-dridex-attacers-arrested/114566/
[3] http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/
[4] http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled
[5] https://nakedsecurity.sophos.com/2015/10/15/dridex-botnet-taken-down-multi-million-bank-fraud-suspect-arrested/
[6] http://www.theregister.co.uk/2015/10/14/dridex_botnet_takedown/
[7] http://www.secureworks.com/cyber-threat-intelligence/threats/dridex-bugat-v5-botnet-takeover-operation/
[8] http://blog.dynamoo.com/search/label/Dridex
[9] https://techhelplist.com/component/search/Dridex

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Maksymilian Arciemowicz of CXSECURITY released an advisory showing an unpatched buffer overflow in Apples FTS library [1]. The FTS function is used by commands like ls and cd on Unix/BSD systems to traverse the file system. The exploit does not appear to present a serious threat right now as it requires an authenticated user on the system with the ability to create directories. It doesnt appear to lead to privilege escalation.

In order to trigger the vulnerability, the attacker will have to create a very deep set of subdirectories. Maksymilian creates 1024 with a simple bash script. While creating these directories, an error message, cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory will be displayed.

After returning to the top of the nested subdirectory structure, a recursive ls -laR will lead to a segmentation fault.

The impact of this vulnerability is likely small as it is not exploitable remotely and requires a user to be already logged in. But Maksymilian notes that man AV tools will miss binaries located more then 512 directories deep in such a nested file system, so it could be used to hide malware.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Register

Tardy TalkTalk advertised for a new infosec officer 1 week ago
The Register
The telecommunications company stated it was "seeking a skilled and highly experienced Information Security Officer to assist with the on-going programme of work to define, promote, achieve and maintain compliance with TalkTalk Information Security ...

and more »
Re: TeamSpeak Client <= RFI, Directory Traversal to RCE
CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution
SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities
Re: TeamSpeak Client <= RFI, Directory Traversal to RCE

MIS Asia

Report: Infosec women make progress in governance, risk and compliance
MIS Asia
Women account for just 10 percent of the information security workforce, a new report shows, but are making progress in governance, risk and compliance jobs. The absolute number of women in cybersecurity jobs has been growing, but they're not even ...

and more »
Internet Storm Center Infocon Status