DDoS-for-Hire Preys Upon SaaS Apps such as Joomla

0

Akamai LogoAkamai Technologies, the leading provider of cloud services for delivering, optimizing and securing online content and business applications, has released, through the company’s Prolexic Security Engineering & Research Team (PLXsert) in collaboration with PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division), a new cybersecurity threat advisory. The advisory alerts enterprises and Software-as-a-Service (SaaS) providers of attackers using Joomla servers with a vulnerable Google Maps plugin installed as a platform for launching distributed denial of service (DDoS) attacks. The advisory is available for download from www.stateoftheinternet.com/joomla-reflection.

“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS.”

Vulnerability in Google Maps plugin for Joomla enables DDoS attacks

A known vulnerability in a Google Maps plugin for Joomla allows the plugin to act as a proxy. A proxy is an intermediary server that processes a request and returns the result on behalf of someone else. The vulnerable Google Maps plugin allows Joomla servers that use it to be used as a proxy. Attackers spoof (fake) the source of the requests, causing the results to be sent from the proxy to someone else – their denial of service target. The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers.

With cooperation from PhishLabs’ R.A.I.D, PLXsert matched DDoS signature traffic originating from multiple Joomla sites, which indicates vulnerable installations are being used en masse for reflected GET floods, a type of DDoS attack. Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire sites.

PLXsert was able to identify more than 150,000 potential Joomla reflectors on the Internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in this DDoS attack.

Details of a mitigated DDoS attack

PLXsert mitigated a DDoS attack of this type on behalf of an Akamai customer in November. The majority of the top attacking IP addresses originated from Germany. The same IP addresses that participated in this attack have participated in DDoS attacks against other Akamai customers in the industries of hosting, entertainment and consumer goods.

Multi-layered DDoS mitigation protects against reflection DDoS attacks

Refection-based DDoS attacks of many types are popular at this time. In the fourth quarter of 2014, Akamai’s PLXsert observed 39 percent of all DDoS attack traffic employed reflection techniques. Reflection DDoS attacks each take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.

Cloud-based DDoS attack mitigation can combat this problem to protect organizations from malicious traffic. Edge-based security and scrubbing centers stop DDoS attack traffic long before it affects a client’s website or data center.

Get the Joomla Reflection DDoS-for-Hire Threat Advisory to learn more

In the advisory, PLXsert shares its analysis and details, including:

Use of the GET flood in Joomla reflection

What to look for: Three sample payloads

Attacks from the DAVOSET DDoS tool

Attacks from the UFONet DDoS tool

GET flood requests observed during an attack

Geographical distribution of source traffic

Three DDoS mitigation procedures to stop DDoS attacks of this type

A complimentary copy of the threat advisory is available for download at www.stateoftheinternet.com/joomla-reflection.

About PhishLabs

PhishLabs is the leading provider of cybercrime protection and intelligence services that fight back against online threats and reduce the risk posed by phishing, malware, distributed denial-of-service (DDoS) and other cyber-attacks. The company fights back against cybercrime by detecting, analyzing and proactively dismantling the systems and illicit services cybercriminals depend on to attack businesses and their customers. With a fixed-price service model that ensures alignment with client goals, the company partners with businesses to stop account takeover attacks, reduce online fraud and prevent the loss of customer trust.

To learn more about PhishLabs, visit http://www.phishlabs.com or email info@phishlabs.com

About Akamai

Akamai® is the leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Share.