An ongoing malwaretising campaign that has been targeting WordPress sites since July 2019, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software to something even more dangerous. According to threat analyst from cybersecurity firm Defiant Mikey Veenstra, bad actors are exploiting flaws in more than ten WordPress plugins to create rogue admin accounts on target WordPress sites.
Also, the hacker group behind the campaign added an additional script “which attempts to install a backdoor into the target site by exploiting an administrator’s session.” The malicious script attempts to create a new user with administrator privileges on the victim’s site.
“If the user is presented with a _wpnonce_create-user nonce when visiting the site’s wp-admin/user-new.phpendpoint, then the script knows a new user can be created. If this is the case, the putmeone() function is triggered. This function makes an AJAX call via jQuery which creates the rogue administrator account” explained Veenstra.
The AJAX call creates a user named “wpservices” with the email “firstname.lastname@example.org” and the password “w0rdpr3ss”. Then the attacker can install further backdoors or perform other malicious activity.
Currently, campaign targets following plugins:
Owners of WordPress-powered websites using any of above mentioned plugins are recommended to check if they have the latest versions of software installed. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor” as the campaign picks up new targets over time.