A threat actor is actively trying to insert a backdoor into and compromise WordPress-based sites to redirect visitors to malvertising.

WordPress Extensive Attacks

“While our records show that this threat actor may have sent out a smaller volume of attacks within the past, it’s only within the past few days that they’ve truly ramped up, to the purpose where quite 20 million attacks were attempted against quite half 1,000,000 individual sites on May 3, 2020,” Wordfence analysts discovered.

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.”

About the attacks

The group has a clear predilection for older cross-site scripting (XSS) and options update vulnerabilities in less popular WordPress plugins and themes like Easy2Map, Blog Designer, WP GDPR Compliance, Total Donations, and therefore the Newspaper theme.

Most of those vulnerabilities are patched months and years ago and are known to possess been targeted within the past. a number of the targeted plugins have also been faraway from online plugin repositories, including WordPress’ official one.

The analysts believe that an equivalent actor is behing most of those attacks because the payload they’re attempting to inject – a malicious JavaScript – is that the same.

“If the victim isn’t logged in, and isn’t on the login page, it redirects them to a malvertising URL. If the victim is logged into the location, the script attempts to inject a malicious PHP backdoor into the present theme’s header file, additionally to a different malicious JavaScript,” they shared.

They expect the threat actor to require advantage of comparable vulnerabilities in other plugins and themes.

What to do?

“The overwhelming majority of those attacks are targeted at vulnerabilities that were patched months or years ago, and in plugins that don’t have an outsized number of users.

While we didn’t see any attacks that might be effective against the newest versions of any currently available plugins, running an internet Application Firewall also can help protect your site against any vulnerabilities which may haven’t yet been patched,” Wordfence analysts noted.

K2 Cyber Security’s Timothy Chiu says that perimeter security tools like WAFs require tons of tuning to form them effective at protecting applications and corporations don’t typically have the safety resources required to try to an adequate job.

For organizations that have that problem and for people who only run a site or two the simplest thing to try to to to attenuate their attack surface is to stay plugins and themes up so far and to delete plugins that they don’t need anymore and people that are faraway from the WordPress plugin repository.

Wordfence has provided indicators of compromise site administrators can use to see whether they’ve been hit.

If you like this post, so please leave a comment with your thoughts and share this on your Facebook group(s). Thank you for sharing and being nice!