Cyber attacks began using unauthorized administrator accounts to launch attacks on WordPress sites last month, and the attacks continued, according to a new study from Wordfence.
The company's security researchers have discovered that known vulnerabilities in WordPress plugins have been exploited by injecting malicious JavaScript code into the victim's site interfaces, leading visitors to these compromised sites to be redirected. to potentially harmful content. , including malware droppers and scam sites. Attackers have hidden a large number of replay payloads to prevent WAF and IDS software from detecting them.
Wordfence researchers discovered the origin of the attacks and identified several IP addresses associated with web hosting providers. However, once the problem was reported to the providers, most IPs stopped their illegal activities, with the exception of one.
In a blog post explaining his discovery, Mikey Veenstra of Wordfence explained that most of the attacks originated from an IP address:
"The IP address in question is 104.130.139.134, a Rackspace server currently hosting some possibly compromised websites. We contacted Rackspace to inform them of this activity, in the hope that they would act to prevent further attacks from their network. We have not received answer yet. "
WordPress plugin vulnerabilities
All of the attacks that have occurred so far have targeted several known vulnerabilities in the older NicDark plugins, including nd-booking, nd-travel, and nd-learning.
Although the initial search on the campaign identified the injection of scripts that triggered malicious redirects or unwanted pop-ups in the browsers of those who visited a victim site, the campaign has evolved by adding an additional script that attempts to install a backdoor on the site of destiny. operate an administrator session.
Wordfence also explained how WordPress site owners can avoid falling victim to this campaign by saying:
"As always, updating plugins and themes on your WordPress site is an excellent layer of defense against campaigns like this." Check your site for updates frequently to ensure you receive the latest patches when they are released. Wordfence users receive periodic emails informing them of the availability of updates. "
Via SC Magazine