A hacker group is exploiting vulnerabilities in more than ten WordPress plugins to create rogue admin accounts on WordPress sites across the internet.
Considering that the number of total active websites is estimated at over 172 million according to a survey published by Netcraft, that means that around 75,000,000 websites are using WordPress right now
The attacks are an escalation part of a hacking campaign that started last month. During previous attacks, the hackers exploited vulnerabilities in the same plugins to plant malicious code on the hacked sites. This code was meant to show popup ads or to redirect incoming visitors to other websites.
However, two weeks ago, the group behind these attacks changed its tactics. Mikey Veenstra, a threat analyst with cybersecurity firm Defiant, told ZDNet today that starting with August 20, the hacker group modified the malicious code planted on hacked sites.
Instead of just inserting pop-ups and redirects, the malicious code also ran a function in order to test if the site visitor had the ability to create user accounts on the site, a feature only available for WordPress admin accounts.
Basically, this malicious code waited for the site owner to access their own websites. When they did, the malicious code created a new admin account named wpservices, using the email address of firstname.lastname@example.org, and password of w0rdpr3ss.
By creating these accounts, the hacker group behind this campaign changed tactics from exploiting sites for monetary profits, to also adding backdoors for future use, and for a more persistence foothold.
According to Veenstra, these recent attacks are targeting older vulnerabilities in the following plugins.
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
The plugins are linked to their respective vulnerabilities, so readers can determine the version to which they need to update, to prevent attacks, in case they’re using one of the plugins.
After updating the following plugins, site owners are also advised to check admin usernames registered on their sites. Removing these accounts is imperative, as their sole purpose was to create a way back into websites after users updated the vulnerable plugins.
Cleaning infected WordPress sites can be quite complicated, as site owners will also have to scan their websites with WordPress security plugins in search for various other backdoor mechanisms the hackers might have left behind. Non-technical users are advised to seek professional help.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!