WordPress sites running on OneTone theme are actively targeted by hackers. To exploit a vulnerability that allows them to read and write cookies to the site and create backdoor admin accounts.
The campaign has been going on since the beginning of the month and is still running.
The vulnerability is a cross-site scripting (XSS) bug in the OneTone theme. A popular but deprecated WordPress theme developed by Magee WP, available both in free and paid versions.
Safety Problem Left Unfixed
The XSS vulnerability enables an attacker to inject malicious code within settings of the theme. The bug was discovered in September last year by Jerome Bruandet of NinTechNet. And reported to the author and WordPress team on the theme.
Magee WP, whose website has received no updates since 2018, has refused to release a patch. Following Magee’s inability to patch, a month later, in October 2019. The WordPress team delisted the free edition of the theme from the official WordPress repository.
Attackers began exploiting this vulnerability earlier this month according to a GoDaddy-owned cyber-security firm Sucuri research. Read the full research post done by Sucuri.
Sucuri experts say hackers used the XSS flaw to inject malicious code within the settings on the OneTone theme. Since these settings tested by the theme before any page load, the code triggers any vulnerable site page.
Used for Grabbing Traffic & Establishing Bypass Accounts
Luke Leal, from Sucuri, says the code has two main functions. One is to redirect certain incoming users of the site to a traffic management network hosted at ischeck[.]xyz, while the second feature establishes mechanisms for backdoor use.
Yet for most users visiting the site, the backdoor function is dormant. It activates only when the administrators visit the site.
The malicious code will distinguish site administrators who visit the site from regular users as it searches for the appearance at the top of the page of the WordPress admin toolbar, which only appears for logged-in administrators.
If it detects an admin-level user, a series of silent automatic operations performed by the XSS-inserted malicious code, exploiting access to the admin user without their knowledge.
Leal says backdoors created in two ways — by adding an admin account to the WordPress dashboard (the user-named system) or by creating a server-side administrator-level cookie file (the cookie file called Tho3faeK).
The two backdoors’ function is to allow the attacker access to the site in the event. That the XSS code removed from the OneTone settings or the XSS OneTone vulnerability is patched.
The company did not respond to a request for comment from Sucuri two weeks ago, despite being informed last year.
Attacks on domains targeting OneTone are also ongoing. Two weeks ago, Sucuri announced that over 20,000 WordPress sites were running a theme on OneTone.
Today, the number has fallen to below 16,000, as site owners have started switching to other themes in light of the hacks that are currently underway.
You may also like: