Active Attack Wants to Take-Over 1.6m WordPress Sites!

Active Attack Wants to Take-Over 1.6m WordPress Sites!

Cyber-attackers are targeting security vulnerabilities in 4 plugins plus Epsilon themes, to assign themselves administrative accounts.

An active attack against more than 1.6m WordPress sites is underway, with researchers spotting 10s of millions of attempts to exploit 4 different plugins & several Epsilon Framework themes.

Privileges

The goal, they stated, is complete site takeover using administrative privileges.

The scope of the campaign in noteworthy: The activity is coming from more than 16,000 different IP addresses, according to a Wordfence analysis. There were 13.7m attacks in the first 36 hours.

Plugins

Researchers explained that the attackers are aiming to exploit critical “unauthenticated arbitrary options update vulnerabilities” in the following plugins: ​​Kiwi Social Share (patched in 2018), & WordPress Automatic, Pinterest Automatic & Publish Press Capabilities (all patched 2021).

“In most cases, the attackers are updating the ‘users_can_register’ option to enabled & setting the ‘default_role’ option to `administrator,’” Wordfence researchers noted in a Thur. analysis. “This makes it possible for attackers to register on any site as an administrator, effectively taking over the site.”

Arbitrary Options

The activity started properly on Dec. 8, according to Wordfence – possibly as the result of attackers becoming interested in arbitrary options update bugs in general after the Publish Press Capabilities plugin was patched on Dec. 6.

Some of these have been exploited before. The Ninja Technologies Network, for instance, flagged an increase in activity specifically against the Kiwi Social Share bug in 2018, starting Dec. 6, shortly after it was patched.

“WordPress Kiwi Social Sharing plugin <2.0.11 is currently exploited since Dec. 6,” the firm revealed in a short alert at the time. “It allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website.”

Affected Versions

Affected versions are as follows:

  • Kiwi Social Plugin <= 2.0.10 – Adds functionality to let site visitors share content on social media. 10,000+ installations.
  • PublishPress Capabilities <= 2.3 – Allows admins to customise permissions for WordPress user roles, from administrators & editors to authors, contributors, subscribers & custom roles. 100,000+ installations.
  • Pinterest Automatic <= 4.14.3 – Pins images from posts automatically to Pinterest.com. 7,400+ sales.
  • WordPress Automatic <= 3.53.2 – Imports content to WordPress automatically. 28,000+ sales.

Epic Epsilon

The attackers are also targeting a function-injection vulnerability present in various Epsilon Framework themes, researchers outlined, which allows for remote code execution (RCE). Epsilon themes allow site builders to choose different flexible design elements to craft the way a website looks & is organised.

The affected themes (collectively installed on 150k+ sites) are:

Activello <=1.4.0
Affluent <1.1.0
Allegiant <=1.2.2
Antreas <=1.0.2
Bonkers <=1.0.4
Brilliance <=1.2.7
Illdy <=2.1.4
MedZone Lite <=1.2.4
NatureMag Lite – no patch, users should uninstall
NewsMag <=2.4.1
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Regina Lite <=2.0.4
Shapely <=1.2.7
Transcend <=1.1.8

Probing Attacks

These same themes have anchored large-scale attacks before. In Nov. 2020, Wordfence observed an operation that targeted this list with “probing attacks,” meant to evaluate whether sites were unpatched & vulnerable. That involved 7.5m attacks against more than 1.5m websites, coming from more than 18,000 IP addresses.

This time, the attackers are attempting to again update arbitrary options in order to take over a site by creating an administrator account, researchers explained.

Time to Patch

“Due to the severity of these vulnerabilities & the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise,” according to Wordfence.

“We strongly recommend ensuring that any sites running 1 of these plugins or themes has been updated to the patched version…Simply updating the plugins & themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities.”

User Accounts

To find if a website has been compromised, admins can review the user accounts on the site to determine if there are any that are unauthorised, researchers recommended.

“If the site is running a vulnerable version of any of the 4 plugins or various themes, & there is a rogue user account present, then the site was likely compromised via one of these plugins,” they explained. “Please remove any detected user accounts immediately.”

Admins should also go to the http://examplesite[.]com/wp-admin/options-general.php page & should ensure that the “Membership” setting & the “New User Default Role” are both correctly set, they suggested.

Websites Globally

With WordPress powering more than 30%  of websites globally (455m sites in total), the platform & 3rd-party plugins will continue to be an attractive target for cyber-attackers, especially as plugin bugs are not uncommon.

For example, in Oct. researchers discovered a high-severity vulnerability in the Hashthemes Demo Importer plugin that allows subscribers to wipe sites clean of content.

 

SHARE ARTICLE