A new malware named Tusayan
targeting WordPress, Joomla and Magento has been identified by researchers. Tusayan
is a multi-vector threat exposing the data of the victim publicly over the
internet and granting administrative privileges to the hacker.
As per the researchers at
SiteLock, who identified the trojan, about 5000 websites have been infected by
Tusayan. The researchers could identify as many as 1200 infected websites that
are cached by the search engines. The data has been extrapolated to arrive at
the final figure. A typical cyber-attack in Tusayan campaign starts off with
IndoXploit Shell injection. In this attack, the malware uses the shell kit to
grab configuration files found in the content management system (CMS). The
stolen files are then saved to a plain text file. As of now, only the older
versions of the Magento, Joomla and WordPress have been found to be vulnerable
to the malware.
The malware allows the hacker to
gain administrative privileges over the computer. It also makes publicly
visible over the internet the data available on the infected computer. In an interview with SC Media, Logan Kipp,
the Product Evangelist at SiteLock told that "Based on the information
that we've gathered so far, this trend is not a part of a blackmail scheme, but
rather a way for the hackers to conveniently retrieve the details themselves.
In many cases, we've seen that the directory has .htaccess-based protection in
place to prevent the public from accessing the credentials, but also a large
portion is completely unprotected and available to the public."
As of now the malicious code can
perform its activities latently. The security software are not able to
recognize it. The researchers have suggested the security teams to manually add
the malicious code to their security programs to identify and arrest the attack
in the beginning stages. The researchers have also suggested the bloggers and
others hosting their content over these websites to use the latest version. As
per them, the hackers are not going after the popularity of the content but the
outdated software that if inundated with vulnerabilities.