Popular CMS Platforms afflicted by massive Botnet Attack

November 3, 2020
cms platforms KashmirBlack BotNet attack wordpress joomla drupal

Enterprise and Corporations who use CMS platforms must be extra vigilant because the cyber-attacks against different platforms such as Joomla, Drupal, and WordPress are prevalent and rampant.

Cybersecurity researchers recently discovered a barrage of botnet attacks on multiple CMS (Content Management Systems) platforms, infecting thousands of websites simultaneously. Companies like Drupal, WordPress, and Joomla! were the notable victims of these attacks. These popular CMS platforms provide online website management services for thousands of websites globally.

Security analysts from India pre-emptively discovered the attack, and their preliminary investigation reveals that the attack was executed using the KashmirBlack BotNet. The botnet was used and the actual attack orchestrated by the hacker group known as PhantomGhost. The group’s operations originated in Indonesia, where they have their own C&C (Command and Control) infrastructures. A hacker known only as “Exect1337” was identified as the one who spearheaded the attack on behalf of their group.

Additional research from security analysts in the US exposed the botnet attack’s actual targets, which is the CMS platforms. In-depth analysis shows that the attacks’ purpose is to deliberately infect the CMS platforms, particularly the websites they manage – this will provide the group instantaneous and administrator access to the platforms’ servers and use their resources for crypto-mining.


The KashmirBlack BotNet attack on CMS was executed via a step-by-step process, as shown by the researchers:

  • Infect the target Command & Control server using a Perl Script
  • Supply and lace the machines and servers with the BotNet scripts containing the attack instructions
  • Execute the C&C scripts and scan for sites running CMS platforms
  • Load the BotNets on CMS operated sites and await the attack commands
  • Attack CMS and sites’ components and libraries


This particular strategy created more than 30 unique exploits for the thousands of sites that got infected. The attack started small to avoid detection and made its way to the target sites, and immediately evolved into a much larger scale as it progressed. The attack resembled a rather massive brute-force attack that immediately disabled all basic processes on the machine and removed access to files and folders, including media contents on the websites and the underlying CMS platforms themselves. Talk about a “search and destroy” campaign.

The security researchers from both India and the US agreed that the first step in securing a CMS-based website is to ensure they perform a scan of the server and search for any suspected threats – like malware or malicious scripts. The researchers recommend uninstalling any unfamiliar programs that are basically eating up the system resources, remove any suspicious files, especially the small executable ones, get rid of unnecessary plugins that you don’t use, and remove the unused themes immediately.

These small actions should eliminate any possible backdoors that can be used or exploited by the BotNet and its hacker operators. As for the site admins and owners, ensuring that the CMS core files and other third-party modules are always updated and patched is the best way to prevent unauthorized access. Additionally, having a strong and “hard-to-guess” password is not a bad idea.

About the author

Leave a Reply