A widespread hacking campaign is targeting content management systems around the world, transforming them into tools for cybercriminals. This operation is primarily affecting small and medium-sized businesses in Australia and beyond, with many web servers being compromised without obvious signs. The Australian Signals Directorate’s Cyber Security Centre, or ACSC, has identified the use of webshells in this campaign, which allow attackers to gain remote control over the affected sites. Once in control, these criminals can manipulate web pages, steal credentials, distribute malware, or further infiltrate networks.

ACSC analysts discovered that attackers are exploiting multiple known vulnerabilities within various CMS platforms and plugins. These vulnerabilities allow actions like unauthorized file uploads, remote code execution, and server-side request forgery. Many of these vulnerabilities already have public patches available, highlighting the importance of maintaining up-to-date software to mitigate risks. The ACSC report notes the increasing speed at which attackers are exploiting newly disclosed vulnerabilities, a trend accelerated by AI technologies.

The campaign spans popular CMS platforms and plugins, including WordPress plugins like Simple File List and Ninja Forms, as well as standalone systems like Joomla JCE and Craft CMS. Attackers are scanning for sites running outdated versions of these tools, deploying webshells for persistent access once a vulnerability is found. This broad approach increases the likelihood of finding unpatched systems to exploit.

ACSC advises website owners to inspect their CMS directories for unusual files and analyze web access logs for suspicious activity. If a webshell is detected, servers should be isolated and treated as compromised. Organizations should review authentication and network logs for lateral movement and restore from clean backups after ensuring the environment is secure. Long-term prevention measures include keeping software updated, disabling vulnerable plugins, configuring directories as read-only, and monitoring for unexpected web server processes. Limiting network paths to internal systems can also reduce the risk of further breaches.