Strains of ransomware have been detected on Joomla domains, revealing a disturbing evolution of the malware's attack vectors. According to Brad Duncan, attacks based on the "admedia" campaign have shifted from the traditional target of websites supported by the WordPress content management system, and instead, have graduated to also hunt down vulnerable Joomla CMS Web domains.

The strings revealed an admedia iframe injection which led not only to the installation of multiple backdoors, but the admedia malicious domains generated on these sites sent unwitting visitors to an exploit kit containing the TeslaCrypt ransomware.

Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.

The first attempts to exploit the flaw, which affects installations running Joomla 1.5.0 through 3.4.5, were spotted two days before the developers of the popular content management system released patches. Symantec has been monitoring attack attempts and detected, on average, 16,000 daily hits since the vulnerability was disclosed. Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities.

Attackers are actively exploiting a critical remote command-execution vulnerability that has plagued the Joomla content management system for almost eight years, security researchers said. It was too late: the bug was already being exploited in the wild.

The attacks started on Saturday from a handful of IP addresses and by Sunday included hundreds of exploit attempts to sites monitored by Sucuri. "Today, the wave of attacks is even bigger, with basically every site and honeypot we have being attacked," the blog post reported. "That means that probably every other Joomla site out there is being targeted as well."