Attention WordPress, Joomla and Magento content management system users. There’s a new dual threat malware that not only steals administrative privileges, but also takes computer files and makes them public. Identified by SiteLock and named Tusayan, the malware is currently active in the wild.
How does it work? An attack begins by inserting an IndoXploit Shell file and then uses the shell kit to snatch configuration files located in the content management system (CMS) being attacked. It then takes those files and converts them to plain text, which could contain sensitive credential information. According to a recent SC Magazine article, the malware has been discovered on more than 1,200 web servers so far. Since it primarily impacts older versions of WordPress, Joomla and Magento, it is important that users verify that security patching is up-to-date and follow best practices.