DDoS-for-hire preying on SaaS apps such as Joomla
By Digital News Asia February 27, 2015
- New DDoS attack and tools use Google Maps plugin as proxy to hide attacker ID
- Threat advisory shares DDoS mitigation to help enterprises stop DDoS attacks
AKAMAI Technologies Inc is alerting enterprises and Software-as-a-Service (SaaS) providers of attackers using Joomla servers with a vulnerable Google Maps plugin installed as a platform for launching distributed denial-of-service (DDoS) attacks.
Akamai, through its Prolexic Security Engineering & Research Team (PLXsert) in collaboration with PhishLabs’ RAID (Research, Analysis, and Intelligence Division), has released a new cybersecurity threat advisory on the issue.
“Vulnerabilities in web applications hosted by SaaS providers continue to provide ammunition for criminal entrepreneurs,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai.
“Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools.
“This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS,” he added.
Vulnerability in Google Maps plugin
A known vulnerability in a Google Maps plugin for Joomla allows the plugin to act as a proxy, Akamai said in a statement.
A proxy is an intermediary server that processes a request and returns the result on behalf of someone else. The vulnerable Google Maps plugin allows Joomla servers that use it to be used as a proxy.
Attackers spoof (fake) the source of the requests, causing the results to be sent from the proxy to someone else – their denial of service target.
The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers, Akamai said.
With cooperation from PhishLabs’ RAID, PLXsert matched DDoS signature traffic originating from multiple Joomla sites, which indicates vulnerable installations are being used en masse for reflected GET floods, a type of DDoS attack.
Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire sites.
PLXsert was able to identify more than 150,000 potential Joomla reflectors on the Internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in this DDoS attack.
Mitigated DDoS attacks
PLXsert mitigated a DDoS attack of this type on behalf of an Akamai customer in November. The majority of the top attacking IP (Internet Protocol) addresses originated from Germany.
The same IP addresses that participated in this attack have participated in DDoS attacks against other Akamai customers in the industries of hosting, entertainment and consumer goods, the company said.
Protecting against reflection DDoS attacks
Refection-based DDoS attacks of many types are popular at this time. In the fourth quarter of 2014, Akamai's PLXsert observed 39% of all DDoS attack traffic employed reflection techniques.
Reflection DDoS attacks each take advantage of an IP or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.
Cloud-based DDoS attack mitigation can combat this problem to protect organisations from malicious traffic. Edge-based security and scrubbing centres stop DDoS attack traffic long before it affects a client’s website or data centre, Akamai said.
A complimentary copy of the threat advisory is available for download at www.stateoftheinternet.com/joomla-reflection.
To learn more about PhishLabs, visit http://www.phishlabs.com.
DDoS attacks grow, era of botnets: Akamai’s Prolexic report
Cyber-war: Staying clear of DDoS attacks
Cyber black markets at 'unprecedented' maturity levels: Juniper
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.