Attacks on WordPress Sites Surge

guest · May 5, 2020

A hacker group tried to hijack 900,000 WordPress sites over the last week
Massive hacking operations causes a 30 times spike in bad traffic
May 5, 2020
https://www.zdnet.com/article/a-hac...ck-900000-wordpress-sites-over-the-last-week/

A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued today by cyber-security firm Wordfence.

The company says that since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic Wordfence has been tracking.

"While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it's only in the past few days that they've truly ramped up," said Ram Gall, QA engineer at Wordfence.
The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.
Click to expand...

Gall says the group primarily exploited cross-site scripting (XSS) vulnerabilities to plant malicious JavaScript code on websites, to redirect incoming traffic to malicious sites.

Wordfence says the hackers used a broad spectrum of vulnerabilities for their attacks.
However, Wordfence also warns that the threat actor is sophisticated enough to develop new exploits and is likely to pivot to other vulnerabilities in the future.
Click to expand...

Wordfence: Nearly a Million WP Sites Targeted in Large-Scale Attacks

guest · Jun 3, 2020

Large-scale attack tries to steal configuration files from WordPress sites
June 3, 2020
https://www.zdnet.com/article/large...eal-configuration-files-from-wordpress-sites/

Hackers have launched a massive campaign against WordPress websites over the past weekend, attacking old vulnerabilities in unpatched plugins to download configuration files from WordPress sites.

The goal of the attack was to use old exploits to download or export wp-config.php files from unpatched websites, extract database credentials, and then use the usernames and passwords to take over databases.
Ram Gall, a QA engineer at Wordfence, a provider of web application firewall (WAF) services, said that last weekend's attack was of massive proportions when compared to what the company was seeing on a daily basis.

Gall said "this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem."
Gall said Wordfence blocked more than 130 million exploitation attempts on its network alone, which targeted more than 1.3 million WordPress sites, however, the attacks are believed to have targeted even many more other sites, not covered by the company's network.
Click to expand...

During the first campaign, the threat actor used a batch of XSS (cross-site scripting) vulnerabilities and attempted to insert new admin users and backdoors on targeted sites.
The first campaign was also similarly massive in scale, as the group's XSS attacks outweighed all the XSS attacks carried out by other groups combined (see second chart below).

Gall believes the two campaigns, albeit they targeted different vulnerabilities, have most likely been orchestrated by the same threat actor.
Click to expand...

Wordfence: Large Scale Attack Campaign Targets Database Credentials

guest · Nov 17, 2020

Hackers are actively probing millions of WordPress sites
November 17, 2020
https://www.bleepingcomputer.com/ne...actively-probing-millions-of-wordpress-sites/

Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

"So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses," Wordfence QA engineer and threat analyst Ram Gall said.
Scanning for vulnerable sites
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.
While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.

"We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use," Gall added.
Click to expand...

Vulnerable theme versions
These versions of targeted Epsilon Framework themes are known to be vulnerable to these attacks: [...]

In May, another massive attack campaign targeted roughly 900,000 WordPress sites within a single week trying to plant backdoors or redirect visitors to malvertising sites.
One month later, another series of attacks attempted to harvest database credentials from approximately 1.3 million WordPress sites by downloading configuration files
Click to expand...

Wordfence: Large-Scale Attacks Target Epsilon Framework Themes

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites.
While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.

This wave of attacks is targeting vulnerabilities that have only been patched in the last few months.
Click to expand...

guest · Jul 17, 2022

Attackers scan 1.6 million WordPress sites for vulnerable plugin
July 15, 2022

Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication.

The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284.
While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin.
Click to expand...

Indistinct large-scale attacks
Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day.

The attacks originate from 10,215 distinct IP addresses, with some having generated millions of requests while others are limited to lower numbers, the reearchers say.
Click to expand...

Wordfence: PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website.
Click to expand...

guest · Sep 3, 2022

Malicious Plugins Found on 25,000 WordPress Websites: Study
By Ionut Arghire - August 29, 2022

Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.
An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today.

Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The majority of these plugins did not use obfuscation to hide their malicious behavior, the academics say in a research paper.
Click to expand...

The dataset used for the research spanned over a period of eight years, between July 2012 and July 2020, and revealed a steady increase in the number of installed malicious plugins, with the activity reaching a peak in March 2020.

According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins.
Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation. The researchers also identified cases of plugin-to-plugin infection, where a malicious plugin infects other plugins on the same web server, replicating its behavior.
Click to expand...

Overall, more than 40,000 of plugin instances were infected post-deployment. In many cases, attackers abused the infrastructure to inject malicious plugins into websites, and then attempted to maintain access to the web servers.

The researchers also discovered more than 6,000 plugins that impersonated benign plugins available through legitimate marketplaces, while offering a trial option to website owners, something that is not typically available in most paid plugin marketplaces.
Click to expand...

Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces
(PDF): https://www.usenix.org/system/files/sec22-kasturi.pdf

guest · Sep 9, 2022

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts
By Ravie Lakshmanan - September 9, 2022

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.
Click to expand...

BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022.
Click to expand...

The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actor to download any arbitrary file on the server.

Wordfence noted that the targeting of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked nearly five million attacks in the intervening time period.
Click to expand...

Wordfence: PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

By Chloe Chamberland - September 7, 2022
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.
Click to expand...

guest · Dec 30, 2022

New Linux malware uses 30 plugin exploits to backdoor WordPress sites
By Bill Toulas @billtoulas - December 30, 2022

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
Click to expand...

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.
Click to expand...

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.
Infected pages act as redirectors to a location of the attacker's choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.
Click to expand...

Dr. Web: Linux backdoor malware infects WordPress-based websites

December 30, 2022
Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.
Click to expand...

For many years cybercriminals have been attacking WordPress-driven websites. Information security experts register cases when various vulnerabilities of the WordPress platform are used in order to hack sites and inject malicious scripts into them. An analysis of an uncovered trojan application, performed by Doctor Webs’ specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage.
Click to expand...

guest · Jan 24, 2023

75k WordPress sites impacted by critical online course plugin flaws
By Bill Toulas @billtoulas - January 24, 2023

The WordPress online course plugin 'LearnPress' was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion.
Click to expand...

LearnPress is a learning management system (LMS) plugin that allows WordPress websites to easily create and sell online courses, lessons, and quizzes, providing visitors with a friendly interface while requiring no coding knowledge from the website developer.

The vulnerabilities in the plugin, used in over 100,000 active sites, were discovered by PatchStack between November 30 and December 2, 2022, and reported to the software vendor.
This means that roughly 75,000 websites could be using a vulnerable version of LearnPress, exposing themselves to severe security flaws, the exploitation of which can have serious repercussions.
Click to expand...

The first vulnerability discovered by PatchStack is CVE-2022-47615, an unauthenticated local file inclusion (LFI) flaw that allows attackers to display the contents of local files stored on the web server.
This could expose credentials, authorization tokens, and API keys, leading to further compromise.

The second critical flaw is CVE-2022-45808, an unauthenticated SQL injection potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.
The third flaw impacting older LearnPress versions is CVE-2022-45820, an authenticated SQL injection flaw in two shortcodes of the plugin ("learn_press_recent_courses" and "learn_press_featured_courses") failing to properly validate and sanitize the input of the "$args" variable.
Click to expand...

EASTER · Jan 24, 2023

I remember a time when Wordpress was the most exciting site and everyone flocked to it including me. That was before hacker intrusions just like this one figured out ways to deface it and more so easily.

xxJackxx · Jan 24, 2023

WordPress exists because it is easy. Unfortunately that applies to the hackers as well.

guest · Jan 25, 2023

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages
Ravie Lakshmanan - January 25, 2023

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.
Click to expand...

According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to unwanted sites.

The latest operation is said to have been active since December 26, 2022, according to data from urlscan.io. A prior wave seen in early December 2022 impacted more than 3,600 sites, while another set of attacks recorded in September 2022 ensnared more than 7,000 sites.
Click to expand...

The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days.

"In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat 'ad networks' that alternate between redirects to legitimate, sketchy, and purely malicious websites," Sucuri researcher Denis Sinegubko said.
Click to expand...

Even more troublingly, the website for one such ad blocker named Crystal Blocker is engineered to display misleading browser update alerts to trick the users into installing its extension depending on the web browser used.

Some of the redirects also fall into the outright nefarious category, with the infected websites acting as a conduit for initiating drive-by downloads.
Click to expand...

Sucuri: Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network

January 24, 2023
Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing — including tech support scams, adult dating, phishing, or drive-by-downloads.

Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: track[.]violetlovelines[.]com
Click to expand...

Log in or Sign up

Attacks on WordPress Sites Surge

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

EASTER Registered Member

xxJackxx Registered Member

guest Guest

Log in or Sign up

Attacks on WordPress Sites Surge

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

EASTER Registered Member

xxJackxx Registered Member

guest Guest

Useful Searches