Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

Defiant experts have warned that a group of hackers exploits vulnerabilities in more than 10 WordPress plugins to create new admin accounts on other people’s sites. Then, these accounts serve as backdoors for attackers.

According to researchers, occurs natural continuation of the malicious campaign that began in July 2019. That time the same hack group used vulnerabilities in the same plugins to inject malicious code on websites. This code was intended to display pop-up ads or to redirect visitors to other resources. Now, starting on August 20, 2019, criminals have changed tactics and use other payloads.

“Much of the campaign remains identical. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software”, — explained Defiant experts.

So, now instead of the code responsible for the implementation of pop-ups and redirects, code is used to check whether the visitor to the site has the ability to create user accounts (a feature available only to admin accounts in WordPress).

Read also: Vulnerability in the plugin for WordPress allowed to execute PHP-code remotely

In fact, the malware is waiting for the owner of the site to access his resource. When this happens, the malicious code creates a new administrator account named wpservices using the address wpservices@yandex.com and the password w0rdpr3ss. Then these accounts are used as backdoors.

“The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor”, — say Defiant researchers.

Researchers write that attacks target previously famous vulnerabilities in the following plugins:

• Bold Page Builder;
• Blog Designer;
• Live Chat with Facebook Messenger;
• Yuzo Related Posts;
• Visual CSS Style Editor;
• WP Live Chat Support;
• Form Lightbox;
• Hybrid Composer;
• All NicDark plugins (nd-booking, nd-travel, nd-learning and so on).

Defiant strongly recommends that website owners update the above plugins to the latest versions, as well as check their resources for new administrator accounts and, if necessary, delete fraudulent accounts.