Hackers have launched a massive attack on over 900,000 WordPress sites, trying to divert visitors to malicious sites or install a backdoor when the administrator is logged in.
Based on the payload, the attacks appear to be the work of a single threat actor who used at least 24,000 IP addresses last month to send malicious requests to more than 900,000 websites.
XSS, Malicious advertising, back door
After the 28th. Efforts to reach a compromise were intensified in April. The security company WordPress Defiant, the creator of the Wordfence security plugin, discovered the 3. May: more than 20 million attacks on more than half a million websites.
Ram Gall, quality manager at Defiant, said attackers focus on exploiting cross-site scripting (XSS) vulnerabilities in plug-ins patched months or years ago that target other attacks.
Then the back door gets a different charge and stores it in the theme head to execute it. This method enables the intruder to maintain control over the object, says Gallien.
In this way, an attacker could switch to another payload, which could be a web shell, code created by a malicious administrator, or to remove content from the entire website. Today Defiant presented compromise figures for the final payload.
Previous vulnerabilities specified in
Several vulnerabilities have been discovered, but the next ones are the most targeted according to Gall. Please note that vulnerable plugins have been removed from official repositories or received a patch last year or earlier.
- XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August 2019 and, according to our estimates, has probably been installed on less than 3000 websites. They were responsible for more than half of the attacks.
- XSS vulnerability in the Blog Designer, resolved in 2019. We estimate that no more than 1,000 vulnerable sites remain, although this vulnerability has been the target of previous campaigns.
- At the end of 2018, a vulnerability in the option update in the WP GDPR Compliance was resolved, allowing attackers to change the home URL of a website in addition to other options. Although this plugin has more than 100,000 installations, we estimate that there are no more than 5,000 vulnerable installations left.
- A vulnerability update option in Total Donations that allows attackers to change the original URL of the site. This plugin was finally taken out of the Envato market in early 2019 and we estimate that there are still less than 1000 installations.
- XSS vulnerability in the newspaper’s theme, set for 2016. This vulnerability has also been the target of attacks in the past.
WordPress site administrators need to update their plugins and remove plugins that are no longer in the WordPress archive.