An industry warning has been issued to businesses and Software-as-a-Service providers advising that attackers are currently exploiting a vulnerable Google Maps plugin installed on Joomla servers to launch distributed denial of service (DDoS) attacks.
“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager at the Security Business Unit, Akamai Technologies. “This is one more web application vulnerability in a sea of vulnerabilities.”
The vulnerability found in the Google Maps plugin for Joomla allows the platform to act as a proxy, enabling attackers to process fake requests and return the proxy results to a targeted user in the form of a DDoS attack. The source of the attack remains anonymous as the hack-related traffic appears to come from the Joomla servers.
Figures released in February 2014 showed that Joomla, the second most frequently used online content management system after WordPress, had been downloaded over 50 million times.
Working with Phishlab R.A.I.D, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) were able to match the DDoS signature traffic coming from a number of Joomla sites, suggesting that the vulnerable plugins are currently being used to execute a large amount of reflected GET flood DDoS attacks. The research has also found that the attack vector is being advertised over popular DDoS-for-hire websites.
PLXsert identified over 15,000 supposed Joomla reflectors online. Despite many of the vulnerable plugins having been patched, removed or reconfigures, many of the servers remain open to attack.
Reflection techniques to conduct DDoS attacks are extremely common, with 39% of all DDoS traffic employing reflection to bounce malware off third-party servers and to hide the attackers’ identity.