Massive campaign targets 900,000 WordPress sites in a week

Hackers have launched a massive attack against more than 900,000 WordPress sites seeking to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in.

Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP‌ addresses over the past month to send malicious requests to more than 900,000 sites.

XSS, malvertising, backdoor

Compromise attempts increased after April 28. WordPress security company Defiant, makers of Wordfence security plugin, detected on May 3 over 20 million attacks against more than half a million websites.

Ram Gall, senior QA at Defiant, said that the attackers focused mostly on exploiting cross-site scripting (XSS) vulnerabilities in plugins that received a fix months or years ago and had been targeted in other attacks.

Redirecting visitors to malvertising is one effect of a successful compromise. If the JavaScript is executed by the browser of an administrator that is logged in, the code tries to inject a PHP backdoor in the theme’s header file along with another JavaScript.

The backdoor then gets another payload and stores it in the theme’s header in an attempt to execute it. “This method would allow the attacker to maintain control of the site” Gall explains.

This way, the attacker could switch to a different payload that could be a webshell, code that creates a malicious admin or for deleting the content of the entire site. In the report today, Defiant included indicators of compromise for the final payload.

Old vulnerabilities targeted

Multiple vulnerabilities have been detected but the following are the most targeted, Gall says. Note that the vulnerable plugins have either been removed from official repositories or received a patch last year or before.

  1. An XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August of 2019, and which we estimate is likely installed on less than 3,000 sites. This accounted for more than half of all of the attacks.
  2. An XSS vulnerability in Blog Designer which was patched in 2019. We estimate that no more than 1,000 vulnerable installations remain, though this vulnerability was the target of previous campaigns.
  3. An options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL in addition to other options. Although this plugin has more than 100,000 installations, we estimate that no more than 5,000 vulnerable installations remain.
  4. An options update vulnerability in Total Donations which would allow attackers to change the site’s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, and we estimate that less than 1,000 total installations remain.
  5. An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been targeted in the past.

Administrators of WordPress sites should update their plugins and remove those that are no longer in the WordPress repository.

Kent

Next Post

Ants store long- and short-term memories on different sides of their brains | Science

Wed May 6 , 2020
A.S. David Fernandes By Rodrigo Pérez Ortega May. 5, 2020 , 7:01 PM The left and right sides of our brains store different kinds of memories: The left side specializes in verbal information, for example, while the right side specializes in visual information. But it turns out we’re not the […]