NorthSec 2021

CrimeOps of the KashmirBlack Botnet
2021-05-21, 09:05–09:35, Main stream

We will take you down the rabbit hole into our journey to expose the KashmirBlack botnet. Explore the DevOps behind the botnet and go deep into the bits-and-bytes of the infection technique.

The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 - mostly innocent surrogate - servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

- Security is only as strong as the weakest link.
- CMS platforms have the potential to be the weakest link in the security chain, because they are so modular with thousands of plugins and themes. Owners are notorious for poor cyber hygiene, using old versions, unsupported plugins and weak passwords. It’s not that CMS platforms are very vulnerable like they have the potential to be.
- A large scale botnet doesn’t necessarily need an exsotic exploit to expand, it can exploit old vulnerabilities to infect millions of victims. But in order to create a stable and long-term botnet, it needs a well designed agile infrastructure.
- The COVID pandemic has created more opportunities for hackers, as more businesses digitize their operations. Just like the world adjusts and more businesses go online, the community needs to adjust and aducate for better security hygiene.

Workshops only: Would you like to stream the workshop to an additional (passive) audience? – no Have you given this talk/workshop before? If yes, please provide details and/or slides/video.


Security Researcher at Imperva for the last 3 years & 2 years as a database security & complience expert.
Web application vulnerability research & analysis.
Database Security & Web Application Security.
Data & Information Security, Compliance and Regulations.
Risk Management, Vulnerability Assessments and Scanning.

This speaker also appears in:

Security researcher at Imperva for the last 5 years in web application and cloud data security and for 5 years as a security analyst.
Analyse CVEs and threats in web applications and cloud environment.
Develop algorithms to detect and protect against attacks.

This speaker also appears in: