KashmirBlack Botnet Uses DevOps to Stay Agile


Level 68
Content Creator
Malware Hunter
Aug 17, 2014
Security researchers have lifted the lid on a highly sophisticated global botnet operation performing millions of attacks per day, including cryptocurrency mining, spamming and defacements.

Dubbed “KashmirBlack” by a team at Imperva, hundreds of thousands of compromised machines are controlled by a single command and control (C&C) server.

Active since around November 2019, it spreads by targeting an almost decade-old PHPUnit RCE vulnerability in popular content management system (CMS) software. Imperva warned that the pandemic has arguably created more potential victims for the botnet, given that many businesses have been scrambling to create an online presence via such platforms.

The botnet’s infrastructure is apparently more sophisticated than most, using DevOps techniques to drive agility and ensure new payloads and exploits can be added fairly easily. This agility also means the botnet can rapidly change the repositories such as GitHub where it stores malicious code, as well as its C&C infrastructure, which Imperva claimed recently migrated to Dropbox to hide its tracks. [...]