More than 900,000 WordPress sites were targeted by a hacker group. That aimed at redirecting visitors to malicious sites or inserting backdoors to the header of a theme when an administrator is logged into.
Also, these attacks targeted Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020. And grew to around 30 times than the usual amount over the next few days, as reported by Wordfence.
“While our records show that this threat actor may have sent out a smaller volume of attacks in the past. It’s only in the past few days that they’ve truly ramped up,” said Ram Gall, QA engineer at Wordfence.
Gall claims the group conducted attacks from over 24,000 different IP addresses and tried to break into over 900,000 WordPress sites.
The attacks exploded on Sunday, May 3, when the group launched over 20 million attempts at manipulation against half a million domains.
The malicious code also searched incoming visitors for logged-in administrators and then tried to automate backdoor account formation for unsuspecting admin users.
Various attacks techniques observed
Wordfence states the hackers were using a wide variety of vulnerabilities for their attacks. Below are the details of various techniques observe during the last week:
- An XSS flaw in the Easy2Map plugin that withdrawn in August 2019 from the WordPress plug-in repository. Wordfence says attempts to exploit this vulnerability accounted for more than half of the attacks, despite the plug-in being activated on less than 3,000 WordPress sites.
- An XSS vulnerability that was patched in Blog Designer in 2019. Wordfence estimates that 1,000 approximately use this plugin and that this vulnerability was also the target of other campaigns.
- An option update vulnerability in late 2018 patched WP GDPR Compliance that would allow attackers to alter the home URL of the site, in addition to other options. Despite having more than 100,000 installs on this plugin, Wordfence reports that no more than 5,000 vulnerable installs remain.
- In Total Donations, options update vulnerability that would allow attackers to alter the home URL of the site. This plugin permanently removed from Envato Marketplace in early 2019. However, Wordfence claims that there are still fewer than 1,000 installations in total.
- In the Newspaper theme, an XSS vulnerability fixed in 2016. This flaw was once a target in the past as well.
What should you do?
Wordfence also warns that the threat actor sufficiently advanced to create new exploits. And is likely to turn on other vulnerabilities in the future. Most attacks on Cross-Site Scripting(XSS) follow trends that can block regardless of the particular vulnerability being targeted.
In a case like this, the most important thing you can do is keep your plugins up to date. And deactivate and remove any plugins that have been removed from the list of WordPress plugins.
The vast majority of such attacks target vulnerabilities that patched months or years earlier. As well as plugins that do not have a significant number of users. Also, running a Web Application Firewall may also help protect your site. From any vulnerabilities that might not have been patched yet.
You may also like: