Most unpatched Joomla sites compromised in latest wave of attacks

If you run a Joomla-based website and you haven’t implemented the latest security release of the CMS, your site has been almost surely compromised.

According to Sucuri CTO Daniel Cid, every Joomla site on the company’s network was hit with exploitation attempts within three days after the release of the update (v3.6.4), and he assumes that other Joomla-based sites suffered the same fate.

The security update in question fixed three critical flaws that allow attackers to create accounts on Joomla sites, to elevate those accounts’ privileges (make them admin accounts), and to modify existing users accounts.

The first two issues, CVE-2016-8870 and CVE-2016-8869, were flagged by researcher Demis Palma and Joomla Security Strike Team member Davide Tampellini, respectively.

No details about the vulnerabilities were shared when the update was released but attackers know how to reverse-engineer the patch and ferret them out.

“Less than 24 hrs after the initial disclosure, we started to see tests and small pings on some of our honeypots trying to verify if this vulnerability was present,” Cid noted. “In less than 36 hrs after the initial disclosure, we started to see mass exploit attempts across the web.”

The exploitation attempts came from various sources, and the initial ones targeted some of the most popular Joomla sites out there. But after that, the attackers stopped discriminating, and targeted every vulnerable site that could be found.

If you’re a Joomla site admin, check your site dashboard for new user accounts that you don’t remember setting up. If you find some, it’s high time to do some cleaning up, and finally implement the update.

Finally, let this be a lesson for the future: implement future fixes as soon as they are released.