Two recently discovered critical vulnerabilities in the Joomla content management system are now being used by hackers in a wave of attacks on Joomla websites. While the vulnerabilities were not believed to have been exploited last week, that is no longer the case.
Following the release of any Joomla patch, hackers are quick to take advantage. Attacks on unpatched sites usually start within a matter of hours after a patch has been released. Hackers have now reverse-engineered the patches and have discovered how to attack unpatched websites. It took hijackers less than 24 hours since the patches were released to work out how to compromise websites. Within 36 hours, mass exploit attempts were detected with almost 28,000 attacks attempted before the week was out, according to security firm Sucuri.
Joomla vulnerabilities are popular with hackers. Joomla is the second most popular website creation platform behind WordPress. However, in contrast to WordPress, which is favored by bloggers and is often used for noncommercial websites, Joomla is commonly used by companies to create complex internal and public-facing websites and Joomla website attacks are common.
Such is the scale of the attacks that Sucuri’s CTO Daniel Cid believes any Joomla website that has not yet been patched is already likely to have been compromised. In order to protect against these attacks it is imperative that Joomla administrators update their CMS to Joomla 3.6.4.
However, administrators should also check to see if their sites have been compromised. The vulnerabilities can be exploited to allow attackers to create new user accounts with elevated privileges. The vulnerabilities can allow attackers to create new user accounts even if user account registration has been disabled. Administrators should therefore check to see if any new accounts have been created on their sites and site access logs should also be examined for signs of compromise.