Everything You Need to Know About Tusayan Malware
A new malware named Tusayan targeting WordPress, Joomla and Magento has been identified by researchers. Tusayan is a multi-vector threat exposing the data of the victim publicly over the internet and granting administrative privileges to the hacker.
As per the researchers at SiteLock, who identified the trojan, about 5000 websites have been infected by Tusayan. The researchers could identify as many as 1200 infected websites that are cached by the search engines. The data has been extrapolated to arrive at the final figure. A typical cyber-attack in Tusayan campaign starts off with IndoXploit Shell injection. In this attack, the malware uses the shell kit to grab configuration files found in the content management system (CMS). The stolen files are then saved to a plain text file. As of now, only the older versions of the Magento, Joomla and WordPress have been found to be vulnerable to the malware.
The malware allows the hacker to gain administrative privileges over the computer. It also makes publicly visible over the internet the data available on the infected computer. In an interview with SC Media, Logan Kipp, the Product Evangelist at SiteLock told that "Based on the information that we've gathered so far, this trend is not a part of a blackmail scheme, but rather a way for the hackers to conveniently retrieve the details themselves. In many cases, we've seen that the directory has .htaccess-based protection in place to prevent the public from accessing the credentials, but also a large portion is completely unprotected and available to the public."
As of now the malicious code can perform its activities latently. The security software are not able to recognize it. The researchers have suggested the security teams to manually add the malicious code to their security programs to identify and arrest the attack in the beginning stages. The researchers have also suggested the bloggers and others hosting their content over these websites to use the latest version. As per them, the hackers are not going after the popularity of the content but the outdated software that if inundated with vulnerabilities.