Attacks on WordPress Sites Surge

mood · May 5, 2020

A hacker group tried to hijack 900,000 WordPress sites over the last week
Massive hacking operations causes a 30 times spike in bad traffic
May 5, 2020
https://www.zdnet.com/article/a-hac...ck-900000-wordpress-sites-over-the-last-week/

A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued today by cyber-security firm Wordfence.

The company says that since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic Wordfence has been tracking.

"While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it's only in the past few days that they've truly ramped up," said Ram Gall, QA engineer at Wordfence.
The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.
Click to expand...

Gall says the group primarily exploited cross-site scripting (XSS) vulnerabilities to plant malicious JavaScript code on websites, to redirect incoming traffic to malicious sites.

Wordfence says the hackers used a broad spectrum of vulnerabilities for their attacks.
However, Wordfence also warns that the threat actor is sophisticated enough to develop new exploits and is likely to pivot to other vulnerabilities in the future.
Click to expand...

Wordfence: Nearly a Million WP Sites Targeted in Large-Scale Attacks

mood · Jun 3, 2020

Large-scale attack tries to steal configuration files from WordPress sites
June 3, 2020
https://www.zdnet.com/article/large...eal-configuration-files-from-wordpress-sites/

Hackers have launched a massive campaign against WordPress websites over the past weekend, attacking old vulnerabilities in unpatched plugins to download configuration files from WordPress sites.

The goal of the attack was to use old exploits to download or export wp-config.php files from unpatched websites, extract database credentials, and then use the usernames and passwords to take over databases.
Ram Gall, a QA engineer at Wordfence, a provider of web application firewall (WAF) services, said that last weekend's attack was of massive proportions when compared to what the company was seeing on a daily basis.

Gall said "this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem."
Gall said Wordfence blocked more than 130 million exploitation attempts on its network alone, which targeted more than 1.3 million WordPress sites, however, the attacks are believed to have targeted even many more other sites, not covered by the company's network.
Click to expand...

During the first campaign, the threat actor used a batch of XSS (cross-site scripting) vulnerabilities and attempted to insert new admin users and backdoors on targeted sites.
The first campaign was also similarly massive in scale, as the group's XSS attacks outweighed all the XSS attacks carried out by other groups combined (see second chart below).

Gall believes the two campaigns, albeit they targeted different vulnerabilities, have most likely been orchestrated by the same threat actor.
Click to expand...

Wordfence: Large Scale Attack Campaign Targets Database Credentials

mood · Nov 17, 2020

Hackers are actively probing millions of WordPress sites
November 17, 2020
https://www.bleepingcomputer.com/ne...actively-probing-millions-of-wordpress-sites/

Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

"So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses," Wordfence QA engineer and threat analyst Ram Gall said.
Scanning for vulnerable sites
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.
While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.

"We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use," Gall added.
Click to expand...

Vulnerable theme versions
These versions of targeted Epsilon Framework themes are known to be vulnerable to these attacks: [...]

In May, another massive attack campaign targeted roughly 900,000 WordPress sites within a single week trying to plant backdoors or redirect visitors to malvertising sites.
One month later, another series of attacks attempted to harvest database credentials from approximately 1.3 million WordPress sites by downloading configuration files
Click to expand...

Wordfence: Large-Scale Attacks Target Epsilon Framework Themes

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites.
While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.

This wave of attacks is targeting vulnerabilities that have only been patched in the last few months.
Click to expand...

Log in or Sign up

Attacks on WordPress Sites Surge

mood Updates Team

mood Updates Team

mood Updates Team