The current malvertising attack against WordPress sites just took a turn for the worse. Details of the next stage of this ongoing attack came in a blog post from Mikey Veenstra at Wordfence. Veenstra lists a number of WordPress plugins that are being exploited by the attackers along with attempts to take control of infected websites.
In the blog, Veenstra warned that: “..the campaign has added an additional script which attempts to install a backdoor into the target site by exploiting an administrator’s session.” The malicious code monitors site visitors looking for one with administrator privileges who has already been infected through a previous visit.
Describing this Veenstra writes: “After checking for a cookie to determine if the given visitor has triggered the payload before, a function called checkmeone() is executed in order to test if that visitor is capable of creating new users, which would be the case if a logged-in administrator views an affected page.” At that point, the malicious code creates a rogue administrator account on the website.
Once the account has been created, the attacker can do pretty much what they want to the website. Interestingly, the attackers are not defacing or locking the existing owners out. Instead, Veenstra reports that they can add more malicious code or use the site for other activities.
A raft of compromised WordPress plugins
One of the big problems here is WordPress plugins. These are little snippets of code that can be added to WordPress sites to provide additional functionality. For website owners and creators with limited coding skills and budgets they save a lot of time. The range of functionality they offer is substantial. It includes editing tools to image libraries, Google captcha login protection to anti-spam programs. While some plugins are well written and maintained, many more are not.
Veenstra writes: “Of particular note is a recently disclosed flaw in the Bold Page Builder plugin. On August 23rd, NinTechNet released a warning that a vulnerability had been discovered in the plugin and had been under attack since the previous day.”
Veenstra lists the follow plugins as being targeted in this campaign:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
What can you do?
Run the latest version of the WordPress software. A large number of WordPress sites use old, out of date and potentially risky versions of the core software. Often this is because they have purchased a theme that no longer works with the latest version of WordPress. In that case, change the theme. There is nothing wrong with updating the look and feel of a website. Visitors will notice the update and often spend a little more time looking to see what else has changed.
Administrators also need to make sure that they regularly check the status of any plugins that they are using. If out of date, update them. If they are no longer being maintained, replace them. Check user accounts on a regular basis to make sure that no new accounts have been created that you do not know about. Additionally, if you are going to allow people to create accounts on your website, make sure it is only possible for them to have limited access such as Contributor.
Heavily restrict the number of accounts with high level and administrative privileges. Where you do have such accounts, turn on two-factor authentication. This means that even if their account is compromised, the attackers will find it hard to change passwords or settings. Another step is to look at how regularly user accounts are accessed. If a user has not logged in for several months, disable rather than remove the account. This means that if they do decide to use the account again, you can quickly restore it.
Install security software to protect WordPress and make regular backups. If something goes wrong or infected code is installed, be willing to rollback to an older version of the site. Better to lose a piece of content than be caught distributing malware.
Enterprise Times: What does this mean?
It’s very simple. WordPress is the most used CMS for creating websites. That means that any vulnerability is likely to be quickly exploited and have a good chance of success. Attackers see it as an easy target due to poor maintenance practices by many site owners.
Typical of that is the number of out of date or unsupported plugins that are used. These increase the attack surface and almost guarantee that an attack will be successful. As with any system, patching is important and when something is not supported, ditch it for something else.
Attacks on WordPress are not going away. However, many can be easily stopped or, at the very least, mitigated.