RSAC 2019: Joomla! Mail Flaw Exploited to Create Mass Phishing Infrastructure | Threatpost

SAN FRANCISCO — A fresh campaign from a known adversary is using a flaw in the popular Joomla! CMS platform to carry out a large-scale phishing and spam operation.

According to Check Point Research, the issue is with Jmail, which enables users to send mail through the platform; the firm said that it lacks security mechanisms to prevent the manipulation of messages’ HTTP headers. As a result, a cybercriminal can use Jmail for phishing, spam or, in this case, to implement a fully fledged backdoor infrastructure within the platform to carry out those first two activities at scale.

“Indeed, by implementing simple manipulations on the User‐Agent header on HTTP requests, one can manipulate the platform and override the existing Jmail service,” explained the researchers, in findings released at the RSC Conference 2019.

The adversary, an Egyptian hacker that goes by “Alarg53,” To carry out his campaign, the adversary, first exploits a known object injection remote code-execution (RCE) flaw to inject code into the User‐Agent header field in HTTP requests.

“The attacker injects a base64 string in the User‐Agent field. The PHP code then downloads the files and stores them in a specific path,” Check Point noted. “Once decoded, it is transformed into PHP code that runs on the victim’s machine. The code tries to download specific files from Pastebin and stores them in a designated path.”

That path happens to be “./libraries/joomla/jmail.php; and the HTML file stored there contains PHP code with two major sections that serve two functionalities – sending mail and uploading files.

“Once downloaded and stored, the file actually overrides the current Joomla Jmail service,” the researchers said. “From now on, this file is actually an infrastructure in which the attacker can upload files and send mail for his own purposes. Based on our threat actor’s activity on the web, it seems this infrastructure is being used for phishing and mail spamming.”

Check Point has dubbed the attack “Jmail Breaker,” and researchers said that they expect it to be used by other adversaries in other attacks.

“Using an old Joomla Object Injection vulnerability, the attacker has managed to create an interesting chain that eventually can be leveraged for monetization through a phishing and spamming infrastructure,” researchers noted. “We predict that we will soon see evidence of such spamming methodologies in the near future.”

The threat actor, Alarg53, is known for defacing websites by replacing their home pages with a “Hacked by Alarg53” message instead, according to Check Point. As such, he has primarily made his name as a hacktivist, hacking sites on the basis of ideology.

However, he gained notoriety in 2017 by hacking Stanford University servers via a WordPress vulnerability.

“At first, it was thought to be just another [defacement] attack, but within a few hours, two PHP files were uploaded to the relevant servers enabling them to send large amounts of spam mail,” Check Point researchers explained. “[From there], he started to monetize his activities through cryptomining attacks and [a] phishing infrastructure.”

His attacks have been global, affecting victims in France, India, Japan, Mexico, Portugal, the U.K. and the U.S.; industries affected include finance, banking and government, according to Check Point.

Now, using the Jmail breaker approach, his game has changed to enable mass monetization campaigns.

“Whereas Alarg53 is a known hacker that has managed to hack more than 15,000+ sites, this time he has hit the big time as his attacks have evolved to include a significant and high‐scale backdoor and phishing infrastructure,” according to Check Point.

Threatpost reached out to Joomla! about the Jmail issue and will update this post with any further details.

For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here