A few weeks ago an IT security audit team reported a malicious campaign that, using online ads, distributed code to redirect and to display pop-ups exploiting a set of vulnerabilities in plugins of the content management system WordPress. Unfortunately, this activity has not stopped and operators even show evolution in their attacks.
However, IT security audit experts found some details that suggest that campaign operators have added other methods for attacking WordPress sites. For example, some attacks from multiple IP addresses linked to web hosting providers were initially identified. However, shortly after the first hints of these attacks were revealed, activity linked to all of these IP addresses was stopped, except for one. This IP address is 126.96.36.199, linked to a Rackspace server that hosts some potentially malicious sites. The company has already been notified about this activity, although they have not commented on it.
Another indicator of the evolution of this hacker group is the increase in the list of exploited vulnerabilities and plugins. At the beginning of this campaign, hackers exploited only one set of flaws and remained like that, until now. Recently a cross-site scripting (XSS) vulnerability was revealed in the Bold Page Builder plugin, which began to be exploited by these hackers a few days ago.
Although the attackers’ targets are updated over the days, IT security audit experts have detected a particular interest in attacking the following list of plugins:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
More vulnerable plugins could be added to this list in the upcoming days.
The most relevant change in this campaign is the inclusion of a script with which threat actors try to install a backdoor on targeted websites by exploiting a bug in WordPress admin sessions. By exploiting this vulnerability, hackers can get high privileges, allowing them to install malicious payloads without virtually a single restriction on the attacked website. Other malicious activities are also possible at exploiting this flaw.
IT security audit experts from the International Institute of Cyber Security (IICS) ensure that the hackers in charge of this campaign continue to operate, so WordPress site administrators using any of the vulnerable plugins are encouraged to update their implementations, as well as verifying their web application firewall settings. If you manage a WordPress site, please help us to spread the word; prevention is a vital element in the fight against malicious activities in WordPress sites and other similar services.