A significant hacking operation is targeting content management systems (CMS) globally, transforming them into tools for cybercriminals. This campaign affects small and medium-sized enterprises in Australia and internationally, with many web servers being compromised without clear indications.
Webshells: The Hidden Threat
The core of this hacking effort involves the use of webshells, a tool that provides attackers with a concealed backdoor to control compromised websites remotely. With this access, criminals can execute various malicious activities such as altering website content, stealing credentials, spreading malware, or infiltrating deeper into a network.
ACSC’s Investigation and Findings
The Australian Signals Directorate’s Cyber Security Centre (ACSC) has been actively monitoring this campaign, identifying its widespread impact across numerous CMS platforms and plugins. Attackers are not exploiting a single vulnerability; instead, they are combining multiple known vulnerabilities to enhance their reach. These vulnerabilities allow unauthorized file uploads, remote code execution, server-side request forgery, and unsafe deserialization, many of which already have public patches available.
The ACSC’s report highlights a shift in the speed with which attackers exploit disclosed vulnerabilities, a trend accelerated by AI technologies. This rapid exploitation has been noted in a joint statement from the Five Eyes cybersecurity agencies.
Broad Target Range and Recommended Actions
This exploitation campaign targets a wide array of software tools, including popular WordPress plugins and standalone platforms like Joomla and Craft CMS. Each platform has distinct vulnerabilities that attackers are actively seeking to exploit. Once a vulnerability is identified, a webshell is deployed to gain persistent access, enabling further malicious activities.
ACSC provides specific guidance for affected website owners, emphasizing the importance of inspecting CMS directories for unusual files and reviewing web access logs for suspicious activity. Servers found with webshells should be considered fully compromised, necessitating isolation, thorough log audits, and restoration from clean backups.
Preventive Measures and Future Outlook
Beyond immediate response, ACSC advises on long-term defensive strategies. Regular updates to CMS software and plugins are crucial, as most vulnerabilities currently exploited have existing patches. Temporarily disabling vulnerable plugins can minimize exposure. Additionally, configuring web directories as read-only and restricting executable paths can limit webshell activities.
Organizations are encouraged to block unnecessary network paths between public websites and internal systems to prevent broader breaches. Strengthening proactive defenses is vital to mitigate critical incidents and financial losses, supported by integrating live threat feeds from numerous SOC teams.
