Jan 02, 2023Ravie Lakshmanan
WordPress sites are being targeted by a previously unknown
strain of Linux malware that exploits flaws in over two dozen
plugins and themes to compromise vulnerable systems.
“If sites use outdated versions of such add-ons, lacking crucial
fixes, the targeted web pages are injected with malicious
JavaScripts,” Russian security vendor Doctor Web said[1]
in a report published last week. “As a result, when users click on
any area of an attacked page, they are redirected to other
sites.”
The attacks involve weaponizing a list of known security
vulnerabilities in 19 different plugins and themes that are likely
installed on a WordPress site, using it to deploy an implant that
can target a specific website to further expand the network.
It’s also capable of injecting JavaScript code retrieved from a
remote server in order to redirect the site visitors to an
arbitrary website of the attacker’s choice.
Doctor Web said it identified a second version of the backdoor,
which uses a new command-and-control (C2) domain as well as an
updated list of flaws spanning 11 additional plugins, taking the
total to 30.
The targeted plugins and themes are below –
- WP Live Chat Support
- Yuzo Related Posts[2]
- Yellow Pencil Visual CSS Style Editor
- Easy WP SMTP
- WP GDPR Compliance
- Newspaper (CVE-2016-10972[3])
- Thim Core
- Smart Google Code Inserter (discontinued[4]
as of January 28, 2022) - Total Donations
- Post Custom Templates Lite
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- Blog Designer
- WordPress Ultimate FAQ (CVE-2019-17232[5]
and CVE-2019-17233[6]) - WP-Matomo Integration (WP-Piwik)
- ND Shortcodes
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy
- FV Flowplayer Video Player
- WooCommerce
- Coming Soon Page & Maintenance Mode
- Onetone
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Both variants are said to include an unimplemented method for
brute-forcing WordPress administrator accounts, although it’s not
clear if it’s a remnant from an earlier version or a functionality
that’s yet to see the light.
“If such an option is implemented in newer versions of the
backdoor, cybercriminals will even be able to successfully attack
some of those websites that use current plugin versions with
patched vulnerabilities,” the company said.
WordPress users are recommended to keep all the components of
the platform up-to-date, including third-party add-ons and themes.
It’s also advised to use strong and unique logins and passwords to
secure their accounts.
The disclosure comes weeks after Fortinet FortiGuard Labs
detailed another botnet called GoTrim[7]
that’s designed to brute-force self-hosted websites using the
WordPress content management system (CMS) to seize control of
targeted systems.
Last month, Sucuri noted that more than 15,000 WordPress sites
had been breached as part of a malicious campaign[8]
to redirect visitors to bogus Q&A portals. The number of active
infections currently stands[9]
at 9,314.
The GoDaddy-owned website security company, in June 2022, also
shared information about a traffic direction system (TDS) known as
Parrot[10] that has been observed
targeting WordPress sites with rogue JavaScript that drops
additional malware onto hacked systems.
Found this article interesting? Follow us on Twitter [11] and LinkedIn[12] to read more exclusive
content we post.
References
- ^
said
(news.drweb.com) - ^
Yuzo
Related Posts (www.wordfence.com) - ^
CVE-2016-10972
(nvd.nist.gov) - ^
discontinued
(wordpress.org) - ^
CVE-2019-17232
(nvd.nist.gov) - ^
CVE-2019-17233
(nvd.nist.gov) - ^
GoTrim
(thehackernews.com) - ^
malicious campaign
(thehackernews.com) - ^
currently stands
(publicwww.com) - ^
Parrot
(thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html