New DDoS attack and tools use Google Maps plugin as proxy

Attackers are using Joomla servers with a vulnerable Google Maps plugin installed as a platform for launching DDoS attacks.

A known vulnerability in a Google Maps plugin for Joomla allows the plugin to act as a proxy. Attackers spoof (fake) the source of the requests, causing the results to be sent from the proxy to someone else – their denial of service target. The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers.

With cooperation from PhishLabs’ R.A.I.D, PLXsert matched DDoS signature traffic originating from multiple Joomla sites, which indicates vulnerable installations are being used en masse for reflected GET floods, a type of DDoS attack. Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire sites.

PLXsert was able to identify more than 150,000 potential Joomla reflectors on the Internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in this DDoS attack.

“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS.”

Refection-based DDoS attacks of many types are popular at this time. In the fourth quarter of 2014, Akamai’s PLXsert observed 39 percent of all DDoS attack traffic employed reflection techniques. Reflection DDoS attacks each take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.

Cloud-based DDoS attack mitigation can combat this problem to protect organizations from malicious traffic. Edge-based security and scrubbing centers stop DDoS attack traffic long before it affects a client’s website or data center.