13.7 million cyber attacks from 16,000 IP addresses target four vulnerable WordPress plugins and 15 themes hitting 1.6 million websites
Massive exploitation of WordPress websites is ongoing, with 1.6 million domains experiencing approximately 13.7 million cyberattacks in 36 hours. At least 16,000 IP addresses were involved in the large-scale attack, according to WordPress security firm WordFence in a report released on December 9.
WordFence says hackers are targeting several vulnerable WordPress plugins and themes with a template without security patches.
The motive of attackers is to gain administrative privileges and completely take over vulnerable websites.
Attackers Enable Default Admin Roles and Registration on WordPress Websites
The researchers observed that the attackers modified the “users_can_register” option to enable it before setting the “default_role” option to “administrator”.
To mitigate the impact of potential compromises, site owners should visit http: // examplesite[.]com / wp-admin / options-general.php and make sure that “membership” has not been set to “anyone can join” and that the “Default role for new user” is not has not been set to the “administrator” role.
Additionally, website owners should check for malicious additions to plugins, user accounts, and user roles. They should immediately update their sites, themes and plugins and uninstall the NatureMag Lite theme. The WordPress theme does not currently have a patched version. WordFence also provides a comprehensive cleanup guide for securing compromised WordPress websites.
However, the WordPress backend allows admins to edit source code files. Therefore, attackers could introduce further vulnerabilities to compromised websites.
Cyber attack targets four vulnerable WordPress plugins and 15 Epsilon themes
WordFence says the current wave of attacks began on December 8, after developers patched vulnerabilities in PublishPress Capabilities on December 6.
The company noted that large-scale WordPress cyberattacks targeted “Unauthenticated Arbitrary Option Update vulnerabilities” in Kiwi Social Share (2018), WordPress Automatic, Pinterest Automatic, and PublishPress Capabilities plugins.
Researchers also discovered that versions of the WordPress Kiwi Social Sharing plugin prior to 2.0.11 allow attackers to modify the wp_options table to create administrator accounts or redirect a blog to another site.
Attackers also target a function injection vulnerability in Epsilon Framework themes that allow remote code execution (RCE). WordFence has estimated that at least 150,000 websites use the framework.
“If the site is running a vulnerable version of any of the four plugins or various themes, and a malicious user account is present, then the site has likely been compromised through one of those plugins,” the researchers warned. from WordFence. “Please delete all detected user accounts immediately. “
Cyber attacks targeting WordPress sites
The recent cyber attack occurred just after another security vulnerability in the WordPress “WPS Hide Login” plugin that exposed the secret login pages of administrators of over a million websites. The plugin intends to hide the wp-admin login page from the administrator to prevent attacks from automated scripts and hackers who assume the location of the page.
The topics were also the subject of a massive cyber attack in 2020 involving over 18,000 IP addresses when WordFence recorded 7.5 million cyber attacks targeting 1.5 million websites. However, the cyber attacks attempted to determine if the websites had the vulnerabilities targeted in the themes instead of performing a full chain of exploitation.
Uriel Maimon, senior director of emerging technologies at PerimeterX, noted that WordPress has become a regular victim of cyber attacks.
“Shadow Code introduced through third-party plugins and frameworks greatly expands the attack surface of websites,” Maimon said. “Therefore, website owners should be vigilant of third-party plugins and frameworks and stay on top of security updates. They need to secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites.