WordPress Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/wordpress/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 08 Dec 2023 23:08:45 +0000 en-US hourly 1 https://wordpress.org/?v=93455 200474804 WordPress Critical Vulnerability Fixed in Patch 6.4.2 https://gridinsoft.com/blogs/wordpress-vulnerability-fixed-patch-642/ https://gridinsoft.com/blogs/wordpress-vulnerability-fixed-patch-642/#respond Fri, 08 Dec 2023 23:08:45 +0000 https://gridinsoft.com/blogs/?p=18248 WordPress has rolled out version 6.4.2, addressing a critical remote code execution (RCE) vulnerability. Discovered by the project’s security team, the vulnerability could potentially be exploited by threat actors to execute arbitrary PHP code on vulnerable websites. WordPress, a widely used open-source content management system, currently powers over 800 million sites, constituting approximately 45% of… Continue reading WordPress Critical Vulnerability Fixed in Patch 6.4.2

The post WordPress Critical Vulnerability Fixed in Patch 6.4.2 appeared first on Gridinsoft Blog.

]]>
WordPress has rolled out version 6.4.2, addressing a critical remote code execution (RCE) vulnerability. Discovered by the project’s security team, the vulnerability could potentially be exploited by threat actors to execute arbitrary PHP code on vulnerable websites. WordPress, a widely used open-source content management system, currently powers over 800 million sites, constituting approximately 45% of the total websites on the internet.

WordPress RCE Vulnerability Fixed

The WordPress security team advises administrators to update to version 6.4.2 promptly, even though the RCE vulnerability isn’t directly exploitable in the core. Manual verification of completed updates is recommended to ensure the patch’s successful installation.

In light of the vulnerability, security companies, including Wordfence and Patchstack, offer guidance to users and developers. Wordfence advises users to manually check and update their WordPress sites to the latest version. Additionally, developers are encouraged to replace function calls to “unserialize()” with alternatives such as JSON encoding/decoding using ‘json_encode’ and ‘json_decode’ PHP functions.

WordPress Vulnerability Analysis

The security team identified a Property Oriented Programming (POP) chain vulnerability introduced in WordPress core 6.4. This vulnerability, rooted in the “WP_HTML_Token” class, surfaced in an effort to enhance HTML parsing within the block editor. While not directly exploitable in the core, the security team emphasizes the potential for high severity when combined with specific plugins, particularly in multisite installations.

A POP chain relies on an attacker controlling all properties of a deserialized object, achievable through PHP’s “unserialize()” function. Also, the vulnerability exposes the possibility of hijacking the application’s flow by manipulating values sent to magic methods like “__wakeup()”. To exploit this flaw, a PHP object injection vulnerability on the target site is required. It could exist in a plugin or theme add-on.

The new ”__wakeup” method ensures that any serialized object with the WP_HTML_Token class throws an error as soon as it is unserialized. This prevents the ” __destruct” function from executing:

WordPress patch
Things that 6.4.2 patch fixes

Recommendations

WordPress users are urged to remain vigilant, implement recommended mitigation measures, and follow official channels for the latest updates.

It is highly recommended that you manually check if your site has been updated to WordPress 6.4.2. Even though most sites should automatically update. Also, it is crucial to secure your WordPress site in today’s threat landscape. To protect your digital assets and yourself, staying informed about the latest security updates and best practices is essential.

WordPress Critical Vulnerability Fixed in Patch 6.4.2

The post WordPress Critical Vulnerability Fixed in Patch 6.4.2 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wordpress-vulnerability-fixed-patch-642/feed/ 0 18248
Phishing With Hacked Sites Becomes a Massive Menace https://gridinsoft.com/blogs/phishing-with-hacked-sites/ https://gridinsoft.com/blogs/phishing-with-hacked-sites/#respond Sat, 19 Aug 2023 17:45:40 +0000 https://gridinsoft.com/blogs/?p=16580 Threat actors started using compromised websites for phishing purposes much more frequently. Such worrying statistics popped up in several recent researches. This is not a brand new approach, though it may be particularly effective for fraudulent purposes. Hackers Use Poorly-protected Sites in Phishing Scams Cybercriminals often target abandoned WordPress websites with poor maintenance and security… Continue reading Phishing With Hacked Sites Becomes a Massive Menace

The post Phishing With Hacked Sites Becomes a Massive Menace appeared first on Gridinsoft Blog.

]]>
Threat actors started using compromised websites for phishing purposes much more frequently. Such worrying statistics popped up in several recent researches. This is not a brand new approach, though it may be particularly effective for fraudulent purposes.

Hackers Use Poorly-protected Sites in Phishing Scams

Cybercriminals often target abandoned WordPress websites with poor maintenance and security patches, making even smaller sites attractive targets for long-lasting phishing pages.

Malicious actors can still target actively maintained websites, even though they are kept up to date. Websites with low traffic and smaller audiences are also vulnerable to hacking attempts. Some website owners might need more financial resources to invest in robust information security measures or hire dedicated security professionals. They could also have limited knowledge about security configurations, or they might wrongly assume that their small website wouldn’t attract hackers’ attention. However, for phishers, the potential to exploit a website is more significant than its popularity. This is because they can use compromised sites to distribute links to scam pages through emails or instant messaging platforms, regardless of size. Consequently, even smaller websites present an appealing opportunity for scammers.

According to researchers, most websites on the Internet are powered by the WordPress content management system. This platform boasts an extensive array of third-party plugins aimed at enhancing its functionality. Unfortunately, both plugins and WordPress are frequently found to have new vulnerabilities that hackers can exploit.

WordPress

WordPress-Based Websites In The Scope

Phishers exploit security holes to hack WordPress websites. After a successful exploitation attempt, they upload a WSO web shell, which allows them to bypass the authentication step and gain access to the website control panel. This gives them full control over the website.

Nevertheless, the majority of compromised websites exhibit broken links leading to various sections of their homepage. This arises because hackers often remove the original directories and substitute them with phishing materials. When users input data, like website credentials or even sensitive information like CVV numbers from bank cards, depending on the specific scam, this data gets stored within the control panel of the deceptive page. In cases where the website is equipped with a web shell and its content is accessible to anyone, the victim’s data becomes readily visible to all.

Signs of a hacked WordPress site

Several fairly obvious signs suggest you are looking at a phishing page hosted on a compromised website.

  • The URLs of these pages encompass folders such as /wp-Config/, /wp-content/, /wp-admin/, /wp-includes/, or equivalents, and within these directories exists a PHP file. Although web pages with the .php extension can be legitimate components of websites, their presence in conjunction with the aforementioned directory names unequivocally indicates a phishing endeavor.
  • The content displayed on the homepage seems disconnected from the phishing page.
  • The URL includes the service’s accurate (or altered) name that the scammers aim to mimic. However, this name is unrelated to the actual name of the website.
Signs of a hacked WordPress site
Control panel of a hacked website

How to recognize phishing with hacked sites

Despite hackers’ diligent efforts to fabricate convincing replicas of popular websites that their targeted users frequent, there are telltale signs of phishing on a hacked site. It’s particularly important to be vigilant for the following indicators:

  1. The presence of default names of WordPress directories in the URL.
  2. Inclusion of the imitated brand’s name within one of the directory names.
  3. Page content that appears unrelated to the website’s overall theme.

How to protect yourself against phishing attacks?

Most phishing cases are conducted mostly thanks to the victim’s inattentiveness. Hence, you may suppose an easy solution – being attentive at each questionable moment. You can find a lot of things spoofed, and with the special tools that are available nowadays, this form of fraud is very easy to perform.

  1. Use two-factor authentication. That won’t let anyone except the one who has your mobile phone (hopefully, yourself) log into your account. However, your phone might have yet another authentication procedure to unblock it, which would make the authentication to your account multi-factor, which is even better for tackling the consequences of a successful phishing attack.
  2. Should you fall victim to a phishing attack, better have all your valuable data backed up on a hard drive or cloud storage. Phishing attacks may have various consequences, but data protection is the most maintainable countermeasure.
  3. Protecting your personal information is crucial for maintaining your privacy and security. Think twice before sharing personal information in casual conversations, both online and offline. Avoid posting sensitive details like your full address, phone number, and financial information.
  4. Use a spam filter. With spam filters and anti-spam features, it’s possible to stop receiving unwanted emails. Opt into text lists that allow you to unsubscribe from future messages. This will help minimize the damage from phishing.
  5. Ultimate counteraction method for any form of phishing on the computer is anti-malware software. Of course, it is important to note that not each security tool will fit you – programs with an online protection function guarantee the best protection. GridinSoft Anti-Malware may offer you such a function. Moreover, it is also able to get rid of the virus that helps the fraudsters to fool you.

The post Phishing With Hacked Sites Becomes a Massive Menace appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/phishing-with-hacked-sites/feed/ 0 16580
Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites https://gridinsoft.com/blogs/woocommerce-payments-wordpress-plugin/ https://gridinsoft.com/blogs/woocommerce-payments-wordpress-plugin/#respond Mon, 24 Jul 2023 08:09:16 +0000 https://gridinsoft.com/blogs/?p=16261 Hackers use a vulnerability in the widely used WooCommerce Payments WordPress plugin to gain privileges of any user, including administrator, on vulnerable sites. WooCommerce Payments is a popular WordPress plugin that allows websites to accept credit cards as a payment method in WooCommerce stores. According to official statistics, the plugin has over 600,000 active installations.… Continue reading Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites

The post Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites appeared first on Gridinsoft Blog.

]]>
Hackers use a vulnerability in the widely used WooCommerce Payments WordPress plugin to gain privileges of any user, including administrator, on vulnerable sites.

WooCommerce Payments is a popular WordPress plugin that allows websites to accept credit cards as a payment method in WooCommerce stores. According to official statistics, the plugin has over 600,000 active installations.

By the way, we wrote that this plugin was recognized as one of the most vulnerable, and also reported that the Woocommerce store was attacked by web skimmers. Let me also remind you of very fresh attacks on the Elementor Pro plugin.

In March of this year, the developers released an updated version of the plugin (5.6.2), which eliminated the critical vulnerability CVE-2023-28121. The vulnerability affected WooCommerce Payment version 4.8.0 and higher and was fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.

Since the vulnerability allows anyone to impersonate a site administrator and take full control of WordPress, the company behind the development of the CMS, Automattic, forced updates to hundreds of thousands of sites running the popular payment system.

Then the creators of WooCommerce stated that they had no data about attacks on this vulnerability, but information security specialists warned that due to the critical nature of the error, hackers would certainly be interested in it.

Now researchers from RCE Security have analyzed the issue and published a technical report on CVE-2023-28121 on their blog, explaining exactly how the vulnerability can be exploited.

Attackers can simply add X-WCPAY-PLATFORM-CHECKOUT-USER to the request header and set it to the user ID of the account they wish to masquerade as, experts say. Given this header, WooCommerce Payments will treat the request as if it came from the specified ID, including all privileges for that user.

WooCommerce Payments WordPress Plugin

To its analysis, RCE Security attached a PoC exploit that uses a vulnerability to create a new administrator user on vulnerable sites and allows taking full control over the resource.

As a result, WordPress security company Wordfence warned this week that attackers are already exploiting the vulnerability as part of a massive campaign targeting more than 157,000 sites.

Large-scale attacks on the CVE-2023-28121 vulnerability began on Thursday, July 14, 2023, and continued over the weekend, peaking at 1.3 million attacks on 157,000 sites by July 16, 2023.Wordfence reports.

According to experts, the attackers use the exploit to install the WP Console plugin on vulnerable sites or create administrator accounts. On systems where the WP Console was installed, the attackers used a plugin to execute PHP code that installed a file uploader on the server and could subsequently be used as a backdoor even after the vulnerability was fixed.

WooCommerce Payments WordPress Plugin

To scan vulnerable WordPress sites, attackers try to access the /wp-content/plugins/woocommerce-payments/readme.txt file and, if it exists, proceed to exploit the vulnerability.

In their report, the researchers shared seven IP addresses from which the attacks are carried out, and especially highlighted the IP address 194.169.175.93, which crawled 213,212 sites.

Site owners are encouraged to update WooCommerce Payment as soon as possible if they haven’t done already, and to check their resources for unusual PHP files and suspicious admin accounts, removing any that can be found.

The post Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/woocommerce-payments-wordpress-plugin/feed/ 0 16261
Hackers Actively Exploit the 0-Day Vulnerability in the Ultimate Member WordPress Plugin https://gridinsoft.com/blogs/wordpress-plugin-ultimate-member/ https://gridinsoft.com/blogs/wordpress-plugin-ultimate-member/#respond Tue, 04 Jul 2023 12:34:40 +0000 https://gridinsoft.com/blogs/?p=15691 Hackers actively exploit a zero-day vulnerability in the WordPress plugin Ultimate Member to increase privileges: with the help of this bug, attackers hack sites, bypassing protection, and create new administrator accounts. The Ultimate Member plugin is designed to facilitate registration and community creation on WordPress sites, and currently has more than 200,000 active installations. Ultimate… Continue reading Hackers Actively Exploit the 0-Day Vulnerability in the Ultimate Member WordPress Plugin

The post Hackers Actively Exploit the 0-Day Vulnerability in the Ultimate Member WordPress Plugin appeared first on Gridinsoft Blog.

]]>
Hackers actively exploit a zero-day vulnerability in the WordPress plugin Ultimate Member to increase privileges: with the help of this bug, attackers hack sites, bypassing protection, and create new administrator accounts. The Ultimate Member plugin is designed to facilitate registration and community creation on WordPress sites, and currently has more than 200,000 active installations.

Ultimate Member WordPress Plugin 0-day Vulnerability

That is not the first case when a WordPress plugin appears to contain a 0-day exploit. In particular, hackers used GoTrim malware to hack into WP-based sites. The scale of hackers’ interest in hacking such websites is confirmed by the number of sites they scanned looking for vulnerabilities.

The used-in-the-wild vunerability received the identifier CVE-2023-3460 and a score of 9.8 on the CVSS scale. The max score is 10, so you can undestand how critical it is. The problem affects all Ultimate Member versions, including the latest version 2.6.6. The developers initially tried to fix the vulnerability in versions 2.6.3, 2.6.4, 2.6.5 and 2.6.6. Though, it appears that the vulnerability resides deeper. The authors of the plugin declare that they continue to work on solving the remaining problems and hope to release a new patch in the nearest future.

Versions 2.6.4, 2.6.5, 2.6.6 partially fix the vulnerability, but we are still working with the WPScan command to achieve the best result. All previous versions [of the plugin] are vulnerable, so we strongly recommend updating your sites to version 2.6.6 and following updates in the future to get the latest improvements in security and functionality.the developers write.

How does that work?

Attacks on a vulnerability in Ultimate Member were detected by Wordfence specialists, who warn that criminals use a bug in the plugin’s registration form to set arbitrary meta-values for their accounts.

In particular, hackers set the wp_capabilities meta-value to assign themselves the role of administrator. Obviously, that gives them full access to the vulnerable resource. The plugin has a black list of keys that users can’t update, which may ease the problem. Nonetheless, researchers say that it’s quite easy to bypass this protective measure.

Sites hacked using CVE-2023-3460 will have the following indicators of compromise:

  1. the appearance of new administrative records on the site;
  2. use of wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal;
  3. logs showing that IP-addresses known to be malicious have accessed the Ultimate Member registration page;
  4. logs that fixed access with 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146 and 172.70.147.176;
  5. the appearance of a record with an email address associated with exelica.com;
  6. installation of new plugins and those on the site.

The critical vulnerability remains unfixed and extremely easy to use. WordFence recommends all administrators to immediately remove the Ultimate Member plugin. Experts explain that even the specific firewall setups do not cover all possible scenarios of exploitation. So for now, removing the plugin remains the only possible solution.

The post Hackers Actively Exploit the 0-Day Vulnerability in the Ultimate Member WordPress Plugin appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/wordpress-plugin-ultimate-member/feed/ 0 15691 Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years https://gridinsoft.com/blogs/attackers-hacked-godaddy/ https://gridinsoft.com/blogs/attackers-hacked-godaddy/#respond Tue, 21 Feb 2023 09:06:58 +0000 https://gridinsoft.com/blogs/?p=13414 One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on… Continue reading Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.

]]>

One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on its servers, and stole the source code.

Let me remind you that we also reported that the Epik hoster hack affected 15 million users, not just the company’s clients, and also that Fosshost, an Open-Source Project Hosting, Is Closing Down as Its Leader Disappeared.

According to a report filed by the company with the U.S. Securities and Exchange Commission, the security breach was discovered in December 2022, when customers began reporting that their sites were being used to redirect visitors to random domains. After conducting an investigation, GoDaddy experts came to disappointing conclusions:

Based on our investigation, we believe these incidents are part of a years-long campaign by an experienced group of attackers who, among other things, installed malware on our systems and obtained source code snippets related to certain services on GoDaddy.the company wrote.

It turned out that in December 2022, an attacker gained access to cPanel hosting servers, which customers use to manage sites hosted by GoDaddy. Then the hackers installed some kind of malware on the servers, and the malware “periodically redirected random client sites to malicious ones.”

In addition, incidents dated November 2021 and March 2020 are also reported to have been linked to these attackers.

Let me remind you that in 2021 it became known about the strange compromise of 1.2 million sites running on WordPress. All affected resources were hosted by GoDaddy, and then the company claimed that there was a hack and data leakage: the attackers gained access to the email addresses of all affected clients, their WordPress administrator passwords, sFTP and database credentials, and private SSL keys.

In 2020, GoDaddy notified 28,000 customers that in October 2019, attackers used their credentials to log into a hosting account and connect to their account via SSH.

Now, GoDaddy says it has found additional evidence linking these attackers to a larger malware campaign that has been going on for years against other hosting companies around the world.

We have evidence, and law enforcement confirms, that this incident is connected to an experienced and organized group targeting hosting companies such as GoDaddy. According to the information we have received, their most likely purpose is to infect websites and servers with malware to carry out phishing campaigns, spread malware and perform other malicious activities.the company said in a statement.

GoDaddy is known to have engaged third-party security experts in the ongoing investigation and is also working with law enforcement around the world to uncover the source of these years-long attacks.

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-godaddy/feed/ 0 13414
Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network https://gridinsoft.com/blogs/vulnerabilities-in-wordpress-plugins/ https://gridinsoft.com/blogs/vulnerabilities-in-wordpress-plugins/#respond Wed, 18 Jan 2023 17:29:12 +0000 https://gridinsoft.com/blogs/?p=13207 Three popular WordPress plugins, with tens of thousands of active installations, at once turned out to have critical SQL injection vulnerabilities. In addition, PoC exploits for these bugs are now publicly available. The vulnerabilities were discovered by Tenable, who notified WordPress developers about them back in mid-December 2022, providing them with proof-of-concept exploits. Currently, plugin… Continue reading Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network

The post Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network appeared first on Gridinsoft Blog.

]]>

Three popular WordPress plugins, with tens of thousands of active installations, at once turned out to have critical SQL injection vulnerabilities. In addition, PoC exploits for these bugs are now publicly available.

The vulnerabilities were discovered by Tenable, who notified WordPress developers about them back in mid-December 2022, providing them with proof-of-concept exploits. Currently, plugin authors have already released patches to solve problems, so the researchers have revealed the technical details of the bugs found.

Let me remind you that we also wrote that GoTrim Malware Hacks WordPress Sites, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Information security specialists also informed that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.

The first plugin vulnerable to SQL injection is Paid Memberships Pro, a membership and subscription management plugin used by over 100,000 sites.

The plugin does not escape the code parameter in the /pmpro/v1/order REST path before being used in a SQL statement, resulting in a vulnerability to unauthenticated SQL injection.the researchers write.

The vulnerability is being tracked as CVE-2023-23488 (CVSS score 9.8, i.e. critical) and affects all plugin versions older than 2.9.8. The issue has been fixed with the release of version 2.9.8.

The second vulnerable plugin is Easy Digital Downloads, an e-commerce and digital file selling plugin with over 50,000 active installations.

The plugin does not escape the s parameter in edd_download_search before being used in a SQL statement, which leads to a vulnerability to unauthenticated SQL injection.Tenable explains.

The vulnerability is being tracked as CVE-2023-23489 (also 9.8 on the CVSS scale) and affects all versions of the plugin older than 3.1.0.4 released before January 5, 2023.

Tenable also discovered a CVE-2023-23490 issue in the Survey Marker plugin used by 3,000 survey sites. The vulnerability received a CVSS score of 8.8, as an attacker must be authenticated (at least as a subscriber) in order to exploit the bug. Unfortunately, this condition can be easily met, since many sites allow visitors to register as members.

The vulnerability in the plugin was fixed with the release of version 3.1.2 at the end of December 2022.

The post Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerabilities-in-wordpress-plugins/feed/ 0 13207
GoTrim Malware Hacks WordPress Sites https://gridinsoft.com/blogs/gotrim-botnet-hacks-wordpress/ https://gridinsoft.com/blogs/gotrim-botnet-hacks-wordpress/#respond Thu, 15 Dec 2022 08:42:53 +0000 https://gridinsoft.com/blogs/?p=12651 Fortinet specialists have discovered a new GoTrim malware written in Go that scans the Internet for WordPress sites and brute-forces them by guessing the administrator password. Such attacks can lead to the deployment of malware, the introduction of scripts on websites to steal bank cards, the placement of phishing pages, and other attack scenarios that… Continue reading GoTrim Malware Hacks WordPress Sites

The post GoTrim Malware Hacks WordPress Sites appeared first on Gridinsoft Blog.

]]>

Fortinet specialists have discovered a new GoTrim malware written in Go that scans the Internet for WordPress sites and brute-forces them by guessing the administrator password.

Such attacks can lead to the deployment of malware, the introduction of scripts on websites to steal bank cards, the placement of phishing pages, and other attack scenarios that potentially affect millions of users (depending on the popularity of the hacked resources).

Let me remind you that we also wrote that New Version of Truebot Exploits Vulnerabilities In Netwrix Auditor And Raspberry Robin Worm, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Experts write that GoTrim is still in development, but already has powerful features. Botnet attacks began at the end of September 2022 and are still ongoing.

Malware operators provide their bots with a long list of target resources and a list of credentials, after which the malware connects to each site and tries to brute force administrator accounts using logins and passwords from the existing list.

If successful, GoTrim logs in to the hacked site and sends information about the new infection to the command and control server (including the bot ID in the form of an MD5 hash). The malware then uses PHP scripts to extract the GoTrim bot client from a hard-coded URL, and then removes both the script and the brute force component from the infected system.

Actually, GoTrim can work in two modes: “client” and “server”. In client mode, the malware initiates a connection to the botnet’s control server, while in server mode it launches an HTTP server and waits for incoming requests. For example, if a hacked endpoint is directly connected to the Internet, the malware uses server mode by default.

GoTrim botnet hacks WordPress

GoTrim sends requests to the attacker’s server every few minutes, and if the bot does not receive a response after 100 attempts, it will stop working.

The C&C server can send the following encrypted commands to GoTrim:

  1. check provided credentials for WordPress domains;
  2. check provided credentials for Joomla! (not yet implemented);
  3. check provided credentials for OpenCart domains;
  4. verify provided credentials for Data Life Engine domains (not yet implemented);
  5. detect installations of CMS WordPress, Joomla!, OpenCart or Data Life Engine in the domain;
  6. eliminate malware.

Interestingly, the botnet tried to avoid the attention of the WordPress security team and did not attack sites hosted on WordPress.com, only targeting sites with their own servers. This is implemented by checking the Referer HTTP header for “wordpress.com”.

Managed WordPress hosting providers like wordpress.com usually have more security measures in place to track, detect, and block brute force attempts than self-hosted sites. Therefore, a potentially successful attack is not worth the risk of detection.the researchers explain.

It is also noted that if the target site uses a CAPTCHA plugin to fight bots, the malware will detect it and download the appropriate solver. GoTrim currently supports seven popular CAPTCHA plugins.

In addition, experts noticed that the botnet avoids attacking sites hosted on 1gb.ru, but the exact reasons for this behavior have not been established, although it is very possible that the hackers who created the malware are simply in Russia, but are looking for an opportunity to launder money.

To protect against GoTrim and other similar threats, experts recommend that site administrators use strong passwords, do not reuse passwords, and always use two-factor authentication, if possible.

The post GoTrim Malware Hacks WordPress Sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/gotrim-botnet-hacks-wordpress/feed/ 0 12651
Attackers Hacked 15,000 Websites to Poison SEO https://gridinsoft.com/blogs/attackers-hacked-15000-sites/ https://gridinsoft.com/blogs/attackers-hacked-15000-sites/#respond Fri, 11 Nov 2022 11:06:59 +0000 https://gridinsoft.com/blogs/?p=11735 Sucuri analysts have discovered a massive hacking campaign in which the attackers hacked about 15,000 sites, mostly running WordPress. Let me remind you that we also wrote that 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites. Attackers use compromised… Continue reading Attackers Hacked 15,000 Websites to Poison SEO

The post Attackers Hacked 15,000 Websites to Poison SEO appeared first on Gridinsoft Blog.

]]>
Sucuri analysts have discovered a massive hacking campaign in which the attackers hacked about 15,000 sites, mostly running WordPress.

Let me remind you that we also wrote that 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Attackers use compromised resources for “black hat SEO”, adding about 20,000 files to each site and redirecting visitors to fake Q&A forums1.

Attackers hacked 15000 sites
Fake Q&A Forum

Researchers believe that with the help of these files, attackers are trying to increase the number of indexed pages and thus improve the ranking of their fake question-and-answer sites in search engines. Apparently, in the future, these sites are planned to be used to distribute malware or phishing campaigns, since even a short hit on the first page of Google search results can lead to many infections. Another scenario is also possible when an ads.txt file found on fake resources. It is likely that the operators of this company intend to attract traffic for advertising fraud.

Researchers say that on hacked sites, hackers modify WordPress PHP files, including wp-singup.php, wp-cron.php, wp-settings.php, wp-mail.php, and wp-blog-header.php, injecting redirects to fake Q&A forums. Also, in some cases, attackers place their own PHP files on victims’ sites using random or pseudo-legitimate names, such as wp-logln.php.

Attackers hacked 15000 sites
Malicious PHP

All of these files contain malicious code that checks if the visitor is logged into WordPress, and if the answer is negative, the user is redirected to https://ois[.]is/images/logo-6.png. This PNG file uses the window.location.href function to generate Google Search redirects to one of the following target domains:

  1. en.w4ksa[.]com
  2. peace.yomeat[.]com
  3. qa.bb7r[.]com
  4. en.ajeel[.]store
  5. qa.istisharaat[.]com
  6. en.photolovegirl[.]com
  7. en.poxnel[.]com
  8. qa.tadalafilhot[.]com
  9. questions.rawafedpor[.]com
  10. qa.elbwaba[.]com
  11. questions.firstgooal[.]com
  12. qa.cr-halal[.]com
  13. qa.aly2um[.]com

Since attackers use many subdomains, the full list of target domains contains more than 1000 entries.

Thus, instead of the image (logo-6.png), JavaScript will be loaded in browsers, which will redirect the visitor to a URL that simulates a click on a Google search result, which, in turn, already leads to a Q&A site promoted by attackers. In this way, hackers try to trick the system and pretend that their sites are popular, in the hope of increasing their ranking in search results.

In addition, such redirects make the traffic look more like normal traffic, which is likely to bypass some security solutions.

Attackers hacked 15000 sites
PNG file

At the same time, it must be said that nothing will happen to a user logged into WordPress, since the site administrator should not detect suspicious activity. After all, then he can get rid of malicious PHP files.

Since most of the malicious sites hide their servers behind Cloudflare, Sucuri analysts were unable to learn more about the operators of this campaign. Judging by the fact that all sites use the same templates, and all of them are created using automated tools, there is clearly one group behind this massive campaign.

Attackers Hacked 15,000 Websites to Poison SEO

Also, the researchers were unable to find out exactly how the attackers hacked into the sites of the victims, which they then used for their redirects. Most likely, hackers exploit vulnerable plugins or simply brute force administrator passwords.

The post Attackers Hacked 15,000 Websites to Poison SEO appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-15000-sites/feed/ 0 11735
0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/ https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/#respond Tue, 13 Sep 2022 13:51:26 +0000 https://gridinsoft.com/blogs/?p=10556 Wordfence analysts have discovered that a fresh 0-day vulnerability in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts. The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files,… Continue reading 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.

]]>
Wordfence analysts have discovered that a fresh 0-day vulnerability in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts.

The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.

Let me remind you that we also talked about Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that About 30% of critical vulnerabilities in WordPress plugins remain unpatched.

The 0-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 8.5.8.0 through 8.7.4.1. The problem was fixed in early September, with the release of version 8.7.5.

The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.

This vulnerability allows an attacker to view the contents of any file on the server that your WordPress installation can access. This can be the WordPress wp-config.php file or, depending on the server settings, confidential files such as /etc/passwd.the experts warn.

According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:

  1. /etc/passwd
  2. /wp-config.php
  3. .my.cnf
  4. .accesshash

BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/feed/ 0 10556
NetSupport and RaccoonStealer malware spreads masked as Cloudflare warnings https://gridinsoft.com/blogs/netsupport-and-raccoonstealer/ https://gridinsoft.com/blogs/netsupport-and-raccoonstealer/#respond Wed, 24 Aug 2022 10:23:45 +0000 https://gridinsoft.com/blogs/?p=10137 Unknown attackers hacked WordPress sites to send fake DDoS protection notifications supposedly coming from Cloudflare and through such fakes, the attackers users with NetSupport RAT and the RaccoonStealer infostealer (aka Raccoon). Let me remind you that we also talked about the fact that Hackers create scam e-commerce sites over hacked WordPress sites, and also that… Continue reading NetSupport and RaccoonStealer malware spreads masked as Cloudflare warnings

The post NetSupport and RaccoonStealer malware spreads masked as Cloudflare warnings appeared first on Gridinsoft Blog.

]]>
Unknown attackers hacked WordPress sites to send fake DDoS protection notifications supposedly coming from Cloudflare and through such fakes, the attackers users with NetSupport RAT and the RaccoonStealer infostealer (aka Raccoon).

Let me remind you that we also talked about the fact that Hackers create scam e-commerce sites over hacked WordPress sites, and also that Hackers gained access to surveillance cameras in Tesla, Cloudflare and banks.

Sucuri experts say that DDoS protection notifications are usually shown to users during checks to make sure that the visitor is really a person, and not a bot and not a participant in a DDoS attack. Users have long been accustomed to such pages and usually refer to them as an annoying but unavoidable “hindrance”. Researchers say that attackers are actively abusing this users’ habit.

Unidentified hackers break into poorly protected WordPress sites and inject their pages with an obfuscated JavaScript payload that displays a fake DDoS protection message while pretending to be Cloudflare.

NetSupport and RaccoonStealer

As you can see in the screenshot above, these messages ask the visitor to click a button to pass a check and bypass DDoS protection. As you might guess, this is a scam, and clicking on the button will only download the security_install.iso file, which pretends to be a tool for passing verification. Users are prompted to open the security_install.iso file and enter the code that they supposedly receive after that.

NetSupport and RaccoonStealer

In fact, when opening security_install.iso, the victim will see the security_install.exe file, which is a Windows shortcut that runs the PowerShell command from the debug.txt file. As a result, this entire sequence of actions will lead to the launch of a chain of scripts that will show the victim a fake code to pass the check, as well as install the NetSupport remote access Trojan, which is often used in malicious campaigns.

NetSupport and RaccoonStealer

In addition, the scripts will download the Raccoon infostealer and run it on the device. This malware steals passwords, cookies, autofill data, bank cards saved in browsers, and also attacks a wide range of cryptocurrency wallets and is able to take screenshots of the victim’s desktop.

Experts recommend WordPress site administrators to carefully check theme files, as they are the most common point of initial infection. It is also recommended to use file integrity monitoring systems to detect JS injections as they occur.

The post NetSupport and RaccoonStealer malware spreads masked as Cloudflare warnings appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/netsupport-and-raccoonstealer/feed/ 0 10137