WordPress sites running on OneTone theme are actively targeted by hackers. To exploit a vulnerability that allows them to read and write cookies to the site and create backdoor admin accounts.
The campaign has been going on since the beginning of the month and is still running.
The vulnerability is a cross-site scripting (XSS) bug in the OneTone theme. A popular but deprecated WordPress theme developed by Magee WP, available both in free and paid versions.
Safety Problem Left Unfixed
The XSS vulnerability enables an attacker to inject malicious code within settings of the theme. The bug was discovered in September last year by Jerome Bruandet of NinTechNet. And reported to the author and WordPress team on the theme.
Magee WP, whose website has received no updates since 2018, has refused to release a patch. Following Magee’s inability to patch, a month later, in October 2019. The WordPress team delisted the free edition of the theme from the official WordPress repository.
Attackers began exploiting this vulnerability earlier this month according to a GoDaddy-owned cyber-security firm Sucuri research. Read the full research post done by Sucuri.
Sucuri experts say hackers used the XSS flaw to inject malicious code within the settings on the OneTone theme. Since these settings tested by the theme before any page load, the code triggers any vulnerable site page.
Used for Grabbing Traffic & Establishing Bypass Accounts
Luke Leal, from Sucuri, says the code has two main functions. One is to redirect certain incoming users of the site to a traffic management network hosted at ischeck[.]xyz, while the second feature establishes mechanisms for backdoor use.
Image Source: Sucuri
Yet for most users visiting the site, the backdoor function is dormant. It activates only when the administrators visit the site.
The malicious code will distinguish site administrators who visit the site from regular users as it searches for the appearance at the top of the page of the WordPress admin toolbar, which only appears for logged-in administrators.
If it detects an admin-level user, a series of silent automatic operations performed by the XSS-inserted malicious code, exploiting access to the admin user without their knowledge.
Leal says backdoors created in two ways — by adding an admin account to the WordPress dashboard (the user-named system) or by creating a server-side administrator-level cookie file (the cookie file called Tho3faeK).
The two backdoors’ function is to allow the attacker access to the site in the event. That the XSS code removed from the OneTone settings or the XSS OneTone vulnerability is patched.
The company did not respond to a request for comment from Sucuri two weeks ago, despite being informed last year.
Attacks on domains targeting OneTone are also ongoing. Two weeks ago, Sucuri announced that over 20,000 WordPress sites were running a theme on OneTone.
Today, the number has fallen to below 16,000, as site owners have started switching to other themes in light of the hacks that are currently underway.
Finally
Backdoors are a common component of most malware campaigns. Because they allow attackers to create and retain unauthorized access long after the initial infection. The admin user-generated by this malware injection clearly illustrates how. Also, vulnerabilities inside common components, using which an intruder can exploit JavaScript to obtain and maintain unauthorized access to a website.
This malicious JavaScript malware loaded into the pages of a website. Also, It can detect services that search the website externally, such as SiteCheck, unlike PHP admin user malware. Which is not generally detectable externally on the site. Website owners are best off using a server-side scanning tool for more detailed environmental checks. And This approach used to detect both JavaScript and PHP admin user malware. A server-side scanner can help you detect a wide range of malware, including backdoors, phishing sites, spam scripts, and DDoS.
You may also like:
Leave A Comment