Joomla has issued a statement revealing that its servers were hacked and subsequent to the breach, a cryptocurrencies mining script was installed on some of them. Joomla added that, after investigation, it believes the breach could have been prevented.

Joomla is one of the world's top three most used Content Management Systems, with the most popular one being WordPress, that have become popular by making it easier for non software developers to build and manage websites. Given their popularity, they also tend to become a target for hackers and security researchers alike looking for security vulnerabilities.

"At approximately 09:30 UTC on 15 May 2019, a security researcher notified the Joomla Security Strike Team (JSST) that they had discovered an internal Jenkins CI server used by the JED to deploy updates to their live and staging websites and were able to exploit CVE-2018-1000861 on the server, providing a screenshot of a sensitive file as proof of the exploit. Upon notification, JSST members worked with JED team members to bring the affected Jenkins system offline and conduct an analysis of whether this server had been compromised in other ways."

Joomla servers breached.

Joomla in their statement further adds that while their team investigated the breach, it discovered that a crypto-miner (a script that runs on a host computer and uses its CPU and memory to mine cryptocurrencies) had been installed and was running on the server.  

However, despite the breach having taken place, Joomla has said that so far it hasn't found any evidence nor any reason to believe that "any user data has been accessed improperly."

"At this time, we have no evidence to support having had any data breached on the JED’s server.The exploit payload used in the attack did not have any methods for arbitrary command execution, data exfiltration or spawning a backdoor and therefore simply lacked the code to access the user-related data stored in the systems. Additionally, the amount of data involved in the JED operation has a considerable volume, and we have not detected any actions beyond the regular operation and the mining activity."


Cover image credit: Shahadat Shemul/Unsplash Share this article via: