Experts from Akamai Technologies’ Prolexic Security Engineering and Response Team (PLXsert) have discovered a vulnerability allows attackers to turn Joomla servers using the Google Maps plugin into a DDoS hacking tool. The worrying aspect of the technique, dubbed Joomla Reflection DDoS, is that it is low cost and easy to run.
Reflection techniques appear to be all the rage for DDoS attackers. During the fourth quarter of 2014, Akamai researchers observed 39 percent of all DDoS attack traffic used reflection techniques, which take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device.
Prolexic experts explain that Distributed Reflection Denial of Service techniques are very common in the criminal underground, in Q4 2014, Akamai researchers observed 39 percent of all DDoS attack traffic used these methods of attack.
The hackers exploited a vulnerability in Google Maps plugin for Joomla discovered early 2014, the flaw allows an attacker to use the plugin to act as a proxy.
“In February 2014, multiple vulnerabilities were discovered in the Google Maps plugin for Joomla. One of the vulnerabilities allows the plugin to act as a proxy. Vulnerable installations are being used en masse for reflected floods using tools such as DAVOSET and UFONet” states the report.
The DAVOSET tool is particularly effective to run Joomla Reflection DDoS attacks, it included a default list of servers that could be used to exploit the vulnerability of the Google Maps plugin to turn them in DDoS reflector machines. DAVOSET also allows threat actors to use their own reflectors and attack procedure could be easily configurable by establishing the number of requests per reflector and proxy configuration to use. UFONet is the second tool that could be used to automate reflection attacks, also in this case it is very easy to run Joomla Reflection DDoS.
“As with DAVOSET, it uses a web interface and a pointand-click configuration process. These user-friendly features provide attackers with an easy-to-use interface for proxy (e.g. Tor) configuration, customizable headers, attack options and more. Figure 2 illustrates how an attack works with a proxy, and Figure 3 shows the tool’s interface”
Researchers from Akamai discovered numerous multiple Joomla websites abused by hackers since September 2014 and identified nearly 150,000 vulnerable sites that could be used as Joomla reflectors.
“The attack campaigns contain traffic signatures that match sites known for providing DDoS-for-hire services,” reports Akamai. “The traffic appears to match attacks staged using tools developed specifically to abuse XML and Open Redirect functions, which then produce a reflected response that can be directed to targeted victims and result in denial of service. These tools are rapidly gaining popularity and are being adapted by the DDoS-Observed attack traffic and data suggest vulnerable hosts are being added to the menu of attacks on known DDoS-for-hire sites. The new attack type uses compromised Joomla servers as zombies or proxies to stage denial of service GET floods.”
Akamai confirmed that the attacks continued in 2015, the primary source of attack traffic is the Germany (31.8 percent), followed by the US (22.1 percent) and Poland (17.9 percent).
The report published by Akamai includes also Snort rules to mitigate Joomla Reflection DDoS attacks, the expert recommend organizations implement a DDoS protection plan because such kind of attacks is becoming very common.
“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager in the Security Business Unit at Akamai, in a statement. “This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS.”
(Security Affairs – Joomla Reflection DDoS, Akamai)