How botnets are built on mass CMS exploitation


Recent public disclosures related to very popular open-source content management systems have shed some light into the cybercrime underground’s drive for obtaining access to infrastructure that can be used for malicious purposes. Recent vulnerability disclosures, such as Drupalgeddon2, Oracle Web logic and more recently Drupalgeddon3, are proof of the constant adversarial drift and general pursuit of means that can provide platforms for crime-related operations.

It is calculated that the internet has about 2 billion websites, and there are plenty that are built using CMS (content management frameworks). These CMS frameworks/systems are incredibly easy to setup and run to add and distribute content, making them very popular and accessible to all types of users including enterprises. The frameworks are usually based on the LAMP software bundle which is said to have a very large proportion of the actual internet. In addition, there are other  variations of LAMP like LEMP and, more recently, a similar type of application bundle known as MEAN has surfaced. All these software bundle frameworks represent an operating system, a web server, a backend database and a web/scripting language code.

Fig 2. Shows popular CMS frameworks in numbers

Unfortunately, most of these frameworks, because of their open-source origin and multiple components, tend to be affected by vulnerabilities associated not only in their components but also in their own code. These vulnerabilities, coupled with the abundance of hosts with such frameworks, are prime candidates for botnet building.


How difficult is to target CMS to build a botnet? Let’s look at what is publicly available.

 It is really not difficult to find these frameworks as many vulnerability scanners (either commercial or open source) are available on the internet. Or you can find them via a  vulnerability search engine like The following figure shows search results on keyword “wordpress” at

Fig 3. Shows results from over 27K vulnerable wordpress sites

There are many other ways of discovering CMS frameworks on the web, such as using popular open-source scanning tools like Nmap or MassScan. There are also specific CMS vulnerable scan frameworks, including WPScan or Drupwn.

Once these possible targets are identified, malicious actors will proceed to exploit them and start building botnets. CMS frameworks are known for having multiple vulnerabilities, and there are also very popular exploits publicly available on the internet.

The JASK Research team has prepared a Threat Advisory outlining how lower skilled malicious actors can actually perform mass exploitation and build botnets.

For complete technical details, please download Threat Advisory here.

Share on