Thousands of Hacked WordPress Sites Abused in Neutrino EK Attacks

Researchers at cloud security company Zscaler have spotted a campaign in which attackers are redirecting victims to malware-serving websites with the aid of thousands of hijacked WordPress sites.

According to Zscaler, cybercriminals have compromised more than 2,600 WordPress websites over the past month. The hackers planted malicious iframes on 4,200 distinct pages of websites running vulnerable versions of WordPress 4.2 and prior. These iframes redirect users to Neutrino exploit kit landing pages.

The Neutrino landing page is designed to exploit Flash Player vulnerabilities in order to push the CryptoWall 3.0 ransomware to the computers of Internet Explorer users. It’s worth noting that Neutrino started leveraging the Flash Player exploits leaked as a result of the Hacking Team breach shortly after the existence of the exploits came to light.

“WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware,” Zscaler said in a blog post. “This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.”

After the notorious Blackhole exploit kit disappeared following the arrest of its creator, the Angler exploit kit took its place. The developers of Angler have done a great job at integrating just-patched and even zero-day vulnerabilities into their creation. However, in the last few days, Zscaler researchers noticed a significant increase in the use of Neutrino. 

Brad Duncan, a Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, also reported seeing a lot more Neutrino traffic than before.

Duncan says it’s usually difficult to find a hacked website that triggers a Neutrino exploit kit infection chain, but that changed this week.

“Our preliminary analysis indicates the actor behind a significant amount of Angler EK during recent months switched to Neutrino EK sometime this week. We don’t have enough data to know if this change is permanent,” the expert noted in a blog post.

The Neutrino EK attacks analyzed by Duncan were also designed to deliver CryptoWall 3.0 file-encrypting ransomware.

“If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic. However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this,” Duncan said.

Related Reading: WordPress 4.3 Billie Improves Password Security