Hackers compete for vulnerable WordPress sites

Recently, a dangerous vulnerability was found in the File Manager plugin for WordPress that allows uploading malicious files to sites. Hackers have already started competing for WordPress sites that are affected by this vulnerability.

The File Manager plugin is used by over 700,000 resources, and although the vulnerability has already been patched a few days ago, more than half of the sites were still considered vulnerable.

Attacks on this vulnerability began almost immediately: cybercriminals uploaded web shells to websites that allowed them to take control of the resource and use it for their own purposes.

“Attackers are trying to inject various files into websites. In some cases, these files were empty (obviously, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php and x.php and Feoidasf4e0_index.php”, – wrote the researchers.

Earlier this week, Defiant specialists, standing behind the development of Wordfence, warned that attacks against the vulnerability continue to grow rapidly. In total, experts reported attacks on 1.7 million resources.

Defiant experts have now released an update on the situation, which continues to deteriorate. Thus, according to the company, 2.6 million WordPress sites have already been attacked.

“A lot of hackers are currently trying to attack a vulnerability in File Manager, but two of them have been most successful in deploying malware to vulnerable sites”, — report the researchers.

One of these hackers is the Moroccan attacker bajatax, previously known to experts for its propensity to steal user credentials from PrestaShop e-commerce sites.

After hacking of the site, bajatax injects malicious code on the resource that collects and steals user credentials, which are retrieved through Telegram, and then sold to anyone, who offers the best price.

Another hacker injects backdoors into the randomized folder and the root of the compromised sites. In both cases, the malware is disguised as .ico files, apparently to reduce the likelihood of detecting both malware at once. This attacker uses compromised resources to deploy miners as well as conduct SEO spam campaigns.

In doing so, both attackers try to protect sites from other attackers and password protect the vulnerable connector.minimal.php file, which is the cornerstone of the entire attack.

Hackers compete for WordPress sites
Hackers protect vulnerable site

“The aforementioned attackers are most successful due to their efforts to block other attackers, and together they use several thousand IP addresses in their attacks”, — write the analysts.

In total, Defiant experts recorded attacks on the File Manager vulnerability from 370,000 individual IP addresses, and this activity is almost never crossed by active attempts to access backdoors. The only exception is the IP address 51.83.216[.]204: the people behind it opportunistically check for both backdoors on compromised sites and try to add their own backdoor to the resource (with little success, though).

Let me remind you that vulnerabilities in two plugins that endanger a million of WordPress sites were discovered in May this year, and about 900 thousand sites were exposed to hacker attacks just within one week.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Cybercriminals hijacking GoDaddy’s domains

Cybercriminals are hijacking GoDaddy’s cryptocurrency domains

Well-known cybersecurity journalist Brian Krebs reported that cybercriminals are hijacking GoDaddy’s cryptocurrency domains. GoDaddy employees …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.