Jmail Breaker: Attackers Compromise Joomla Sites Using 2015 Remote Code Execution Bug

On March 5, Check Point Research published a blog post about a campaign they’re calling Jmail Breaker. According to their research, a threat actor is currently using CVE-2015-8562, a user-agent object injection flaw to target vulnerable Joomla sites in order to overwrite jmail.php, the Joomla mail service library. The intention behind overwriting this file is to use this overwritten service to conduct phishing and spam attacks from infected sites.

Because the vulnerability was patched in 2015, it is critically important to ensure your Joomla installations are updated.

A list of Nessus plugins to identify this vulnerability are available here.