A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.
The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.
Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.
“Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future,” Defiant says.
The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).
“Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets,” Defiant says.
The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.
Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.
The backdoor downloads another payload from https://stat[.]trackstatisticsss[.]com/n.txt and attempts to execute it by including it in the theme header.
“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” Defiant says.
The final payload used in this attack was designed to prepend a variant of the initial script to every JavaScript file on the site, as well as to all .htm, .html, and .php files named “index.” It also rechecks the infected site every 6,400 seconds and re-infects it if necessary.
Site owners are advised to keep all of their plugins updated and to deactivate and delete those plugins that have been removed from the WordPress plugin repository, to ensure their websites are protected.
Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin
Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks
Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks