Attackers tried to grab WordPress configuration files from over a million sites

A threat actor that attempted to insert a backdoor into nearly a million WordPress-based sites in early May (and continued to try throughout the month), tried to grab WordPress configuration files of 1.3 million sites at the end on the same month.

WordPress grab configuration files

In both cases, the threat actor tried to exploit old vulnerabilities in outdated WordPress plugins and themes.

The latest attacks

“The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren’t included in the previous XSS campaigns,” Wordfence threat analyst Ram Gall shared.

The goal of this latest campaign was to grab the wp-config-php file, which contains database credentials, connection information, authentication keys and salts.

“An attacker with access to this file could gain access to the site’s database, where site content and users are stored,” Gall pointed out.

He did not say which specific plugins and themes the attackers zeroed in on, but said that most of the vulnerabilities are in themes or plugins designed to allow file downloads by reading the content of a file requested in a query string and then serving it up as a downloadable attachment.

How to check whether your sites have been hit?

Blocking connections from all attack IP addresses should not be attempted, because there are simply too many, but doing it for the top 10 attacking IP addresses might be a good idea.

Site admins can check their server logs for log entries containing wp-config.php in the query string that returned a 200 response code. If they find them and data has been transferred, chances are their site(s) have been compromised by these attackers.

They should change their database password and authentication unique keys and salts immediately, but not without updating the WP configuration file first.

“If you’re not comfortable making [these changes], please contact your host, since changing your database password without updating the wp-config.php file can temporarily take down your site,” he warned.

It should go without saying that admins should regularly update plugins and delete does they don’t use anymore.

Nearly a million WordPress sites targeted in extensive attacks

A threat actor is actively trying to insert a backdoor into and compromise WordPress-based sites to redirect visitors to malvertising.

wordpress extensive attacks

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020,” Wordfence analysts discovered.

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.”

About the attacks

The group has an obvious predilection for older cross-site scripting (XSS) and options update vulnerabilities in less popular WordPress plugins and themes such as Easy2Map, Blog Designer, WP GDPR Compliance, Total Donations, and the Newspaper theme.

Most of these vulnerabilities have been patched months and years ago and are known to have been targeted in the past. Some of the targeted plugins have also been removed from online plugin repositories, including WordPress’ official one.

The analysts believe that the same actor is behing most of these attacks as the payload they are attempting to inject – a malicious JavaScript – is the same.

“If the victim is not logged in, and is not on the login page, it redirects them to a malvertising URL. If the victim is logged into the site, the script attempts to inject a malicious PHP backdoor into the current theme’s header file, in addition to another malicious JavaScript,” they shared.

They expect the threat actor to take advantage of similar vulnerabilities in other plugins and themes.

What to do?

“The vast majority of these attacks are targeted at vulnerabilities that were patched months or years ago, and in plugins that don’t have a large number of users. While we did not see any attacks that would be effective against the latest versions of any currently available plugins, running a Web Application Firewall can also help protect your site against any vulnerabilities that might have not yet been patched,” Wordfence analysts noted.

K2 Cyber Security’s Timothy Chiu says that perimeter security tools like WAFs require a lot of tuning to make them effective at protecting applications and companies don’t typically have the security resources required to do an adequate job.

For organizations that have that problem and for individuals who only run a site or two the easiest thing to do to minimize their attack surface is to keep plugins and themes up to date and to delete plugins that they don’t need anymore and those that have been removed from the WordPress plugin repository.

Wordfence has provided indicators of compromise site administrators can use to check whether they’ve been hit.

WordPress and Apache Struts weaponized vulnerabilities on the rise

Vulnerabilities in leading web and application frameworks, if exploited, can have devastating effects like the Equifax breach which affected 147 million people, according to RiskSense.

weaponized vulnerabilities

Among the report’s key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Most weaponized vulnerabilities

These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years.

WordPress faced a wide variety of issues, but XSS was the most common problem, while input validation was the biggest risk for the Apache Struts framework. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

2019 vulnerabilities are down, but weaponization is up

While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the National Vulnerability Database (NVD) average of 3.9% for the same period. This uptick was primarily due to increased weaponization in Ruby on Rails, WordPress and Java.

Input validation replaces XSS as top weakness

While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last 5 years. This is a sign that frameworks are making progress in this important area.

Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past 5 years mostly affecting Apache Struts, WordPress, and Drupal.

Injection weaknesses are highly weaponized

Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were command injection (60% weaponized), OS command injection (50% weaponized), and code injection (39% weaponized). This often makes them some of the most sought after weaknesses by attackers.

Shedding light on hidden threats

An organization’s web-facing applications represent fundamental digital assets that are essential to serving internal and external users. Their exposure to the outside world also means they are susceptible to constant attack.

Free trojanized WordPress themes lead to widespread compromise of web servers

Over 20,000 web servers (and who knows how many websites) have been compromised via trojanized WordPress themes to deliver malware through malicious ads, Prevailion researchers have discovered.

trojanized WordPress themes

The compromised servers are located across the globe and more than a fifth of all compromised entities are small to medium sized businesses.

“This is most likely due to the fact that many lack the necessary funding or human capital to build a completely custom website, unlike larger, more established firms,” the company noted.

The scheme

The cybercriminals behind this scheme have been at it since late 2017 and they are not stopping.

They are taking advantage of the widespread use of the WordPress content management system, an increased demand for premium themes and victims’ lack of security awareness to get them to unknowingly compromise their own web servers.

To do that, they’ve set up as many as 30 websites that ostensibly offer thousands of free, pirated WordPress themes and plugins and hosted the trojanized themes and plugins on them – among the most popular ones were Ultimate Support Chat, WooCommerce product filter and Slider Revolution.

Oblivious victims download and install the trojanized packages, which drop malicious files that allow the criminals to gain full control over the web server. They can then add an administrative account, recover the web admin’s email account and WordPress password hash, and possibly recover the password from it. (If the admin used the same password for other accounts, it may even allow them to access so some corporate resources.)

The delivered loader, first and second stage malware do things like:

  • Establish communications with the C&C server
  • Download additional files from it
  • Add a persistent cookie to website visitors who came to the site from one of several search engines and add their IP address to a list
  • Collect information about the compromised machine

They also allow the criminals to add web links or keywords to existing or new web pages on the compromised domain (to raise the sites’ SEO profile), display ads on the visited webpage even if the end-user is using an ad-blocker, and deliver either legitimate or malicious ads via the advertising service Propeller Ads.

“In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs (PUP),” the researchers noted.

In other cases, the ad would redirect them to a domain hosting an exploit kit. If successful, the kit would drop a malware downloader onto the victim’s machine.

trojanized WordPress themes

What can you do?

The researchers advise organizations to avoid using pirated software, enable and update Windows Defender if their web server is running Windows, and not to reuse passwords across multiple accounts.

End users should regularly update their OS and software and consider using a plugin like NoScript to prevent remote JavaScript code from running on their machine.

The researchers named the malicious sites offering the trojanized themes and offered indicators of compromised that can help organizations check and detect whether their web servers have been compromised.