Adware

Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

Defiant experts have warned that a group of hackers exploits vulnerabilities in more than 10 WordPress plugins to create new admin accounts on other people’s sites. Then, these accounts serve as backdoors for attackers.

According to researchers, occurs natural continuation of the malicious campaign that began in July 2019. That time the same hack group used vulnerabilities in the same plugins to inject malicious code on websites. This code was intended to display pop-up ads or to redirect visitors to other resources. Now, starting on August 20, 2019, criminals have changed tactics and use other payloads.

“Much of the campaign remains identical. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software”, — explained Defiant experts.

So, now instead of the code responsible for the implementation of pop-ups and redirects, code is used to check whether the visitor to the site has the ability to create user accounts (a feature available only to admin accounts in WordPress).

Read also: Vulnerability in the plugin for WordPress allowed to execute PHP-code remotely

In fact, the malware is waiting for the owner of the site to access his resource. When this happens, the malicious code creates a new administrator account named wpservices using the address wpservices@yandex.com and the password w0rdpr3ss. Then these accounts are used as backdoors.

“The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor”, — say Defiant researchers.

Researchers write that attacks target previously famous vulnerabilities in the following plugins:

Defiant strongly recommends that website owners update the above plugins to the latest versions, as well as check their resources for new administrator accounts and, if necessary, delete fraudulent accounts.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-xbuhoxu.store Pop-up Ads

About News-xbuhoxu.store News-xbuhoxu.store pop-ups can not open out of nowhere. If you have actually clicked…

44 mins ago

Remove News-xbadeyo.today Pop-up Ads

About News-xbadeyo.today News-xbadeyo.today pop-ups can not introduce out of nowhere. If you have clicked on…

45 mins ago

Remove News-bbutohu.info Pop-up Ads

About News-bbutohu.info News-bbutohu.info pop-ups can not open out of nowhere. If you have actually clicked…

1 hour ago

Remove News-bbucoxe.today Pop-up Ads

About News-bbucoxe.today News-bbucoxe.today pop-ups can not launch out of the blue. If you have clicked…

1 hour ago

Remove News-xdetake.cc Pop-up Ads

About News-xdetake.cc News-xdetake.cc pop-ups can not expose out of nowhere. If you have clicked on…

4 hours ago

Remove News-bbufiya.today Pop-up Ads

About News-bbufiya.today News-bbufiya.today pop-ups can not expose out of nowhere. If you have clicked some…

4 hours ago