Cyber security news for all

More

    Python-Driven Bots Exploiting PHP Servers Ignite Gambling Platform Expansion

    Cybersecurity specialists have uncovered a sophisticated campaign targeting servers running PHP applications to bolster gambling platforms predominantly in Indonesia.

    “Over the last two months, an influx of orchestrated attacks originating from Python-based bots has been identified, signifying a concerted effort to compromise thousands of web applications,” stated Imperva analyst Daniel Johnston in a detailed investigation. “This surge in activity seems aligned with the expansion of gambling websites, likely in reaction to intensified government oversight.”

    The Thales-affiliated firm disclosed millions of requests emanating from a Python client configured to deploy GSocket (commonly referred to as Global Socket). This open-source utility facilitates communication across network boundaries, effectively bypassing traditional restrictions.

    Interestingly, GSocket has recently been implicated in a variety of cryptojacking schemes, leveraging its capabilities to embed malicious JavaScript code into websites, thereby pilfering sensitive payment information.

    The modus operandi of the attackers revolves around deploying GSocket through pre-existing web shells on compromised servers. Notably, a substantial portion of these assaults has targeted servers operating Moodle, a widely adopted learning management system (LMS).

    A striking feature of this campaign involves modifications to the bashrc and crontab configuration files, ensuring the persistent operation of GSocket even after malicious web shells are eradicated.

    The infiltrators exploit the access granted by GSocket to implant PHP scripts laden with HTML elements linking to gambling websites, specifically catering to Indonesian audiences.

    “Each PHP script contained a segment of code programmed to allow only search engine crawlers to interact with the page, while ordinary users were diverted to alternative domains,” Johnston elaborated. “The goal is to ensnare users actively seeking gambling services and redirect them to another domain.”

    Imperva identified the redirection pathways leading to “pktoto[.]cc,” an established Indonesian gambling portal.

    This revelation coincides with c/side’s disclosure of a sweeping malware campaign that compromised over 5,000 websites globally. This campaign surreptitiously created unauthorized administrator accounts, installed malicious plugins sourced from remote servers, and exfiltrated credential data.

    The initial entry vector enabling the deployment of JavaScript malware remains ambiguous. Researchers have dubbed the malware WP3.XYZ, referencing the domain used for fetching the plugin and siphoning data (“wp3[.]xyz”).

    To shield against such threats, WordPress administrators are advised to:

    • Regularly update plugins and themes.
    • Implement firewall rules to block malicious domains.
    • Conduct scans for anomalous administrator accounts or rogue plugins.
    • Swiftly remove any suspicious entities discovered.

    Recent Articles

    Related Stories