Enabling the feature: How can I ensure that this specific "Super User monitoring" function is enabled on all my other sites? Is there a specific setting in the WAF configuration I should check to make sure I am notified on every site?
It is on by default. Go to your site's administrator, Components, Admin Tools for Joomla, Web Application Firewall, Configure WAF, click on the Hardening Options tab and set "Monitor Super User accounts" to Yes. Click on Save.
As a good additional precaution you should use the Password-protect Administrator feature from the main page, or the Administrator Secret URL Parameter feature from the Configure WAF page to add additional authentication controls for anyone wishing to access the admin login page. This way, even if a compromised Super User account exists, the attacker will not be able to access it since they can't get to the login page. This buys you time to fix the issue, like you're doing now.
Is there a way within Admin Tools to block such intrusions if an extension's update server is compromised? Since the malicious code comes through a "legitimate" update process, can Admin Tools prevent the execution of such unauthorized user creations, or is this type of attack impossible to block entirely at the extension level?
No. As you said yourself, if the update server is compromised the attacker doesn't just inject malicious code, they make it appear legitimate. There is no direct defence against that.
This is why features like Super User monitoring exist. I predicted reasoned that an attacker who can run arbitrary code on your site would try to create a Super User account to gain a foothold on your site. Back in 2009 I had an installable ZIP Joomla package file which would create a Super Administrator and remove its tracks; all an attacker needed was 10 seconds of unattended access to the backend as an Administrator (or a compromised update server indeed). The best you can do is catch the fact that there's suddenly a Super User account on the site that wasn't there before and was not created using Joomla's Users page in the backend. This screams "VERY LIKELY COMPROMISED" which is why it's blocked and you get an email.
Also note that the other sites that did not send you an email may not have this feature turned on, their emails might have gone to spam, or they may have not installed the compromised update. According to the published news, the compromised version was quickly replaced with a legitimate one that bumped the version number. A few sites got the infected update, all sites got the fixed update. The sites that didn't notify you may have skipped directly to the fixed update. Do keep in mind that sites do not install updates the same second the updates are published; the installs are spread out over several hours to days, depending on update cache settings, how you install updates etc.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
