3 September 2019

Hackers escalate ongoing attacks on WordPress sites, add backdoors and target new plugins

Hackers escalate ongoing attacks on WordPress sites, add backdoors and target new plugins

An ongoing malwaretising campaign that has been targeting WordPress sites since July 2019, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software to something even more dangerous. According to threat analyst from cybersecurity firm Defiant Mikey Veenstra, bad actors are exploiting flaws in more than ten WordPress plugins to create rogue admin accounts on target WordPress sites.

Much of the campaign remains the same, said Veenstra. The attackers exploit known vulnerabilities in WordPress plugins to inject malicious JavaScript code into the frontends of victim sites, which redirects the site’s visitors to potentially harmful content. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software. However, recently the attackers added new vulnerabilities to the list of targets, namely the flaws in Bold Page Builder and NinTechNet plugins.

Also, the hacker group behind the campaign added an additional script “which attempts to install a backdoor into the target site by exploiting an administrator’s session.” The malicious script attempts to create a new user with administrator privileges on the victim’s site.

“If the user is presented with a _wpnonce_create-user nonce when visiting the site’s wp-admin/user-new.phpendpoint, then the script knows a new user can be created. If this is the case, the putmeone() function is triggered. This function makes an AJAX call via jQuery which creates the rogue administrator account” explained Veenstra.

The AJAX call creates a user named “wpservices” with the email “wpservices@yandex.com” and the password “w0rdpr3ss”. Then the attacker can install further backdoors or perform other malicious activity.

Currently, campaign targets following plugins:

Owners of WordPress-powered websites using any of above mentioned plugins are recommended to check if they have the latest versions of software installed. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor” as the campaign picks up new targets over time.

Back to the list

Latest Posts

Smominru botnet infected over 90K Windows computers in just one month

Smominru botnet infected over 90K Windows computers in just one month

The botnet compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols.
20 September 2019
New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019