It is reported that hackers are taking advantage of the remote code execution vulnerability CVE-2021-25094 in the Tatsu Builder plug-in on the WordPress website to launch attacks on a large scale.
Tatsu Builder is a popular plug-in, which provides powerful template editing function and is integrated in the web browser. About 100000 websites have installed the plug-in.
The target vulnerability CVE-2021-25094 was discovered by Vincent Michel, an independent researcher. Vincent publicly disclosed this vulnerability and the proof of concept (PoC) vulnerability utilization code on March 28, 2022. This vulnerability allows remote attackers to execute arbitrary code on servers that use outdated plug-ins (all versions before 3.3.12).
The vendor released a patch in version 3.3.13, and urged users to update the application by email on April 7, 2022.
Wordence, which provides security solutions for WordPress plug-ins, has been monitoring the current attacks. The wave of large-scale attacks began on May 10, 2022, and reached its peak four days later. It is still in progress. Although patches have been available since early April, researchers estimate that 20000 to 50000 websites are still running vulnerable versions of Tatsu Builder.
Number of websites attacked
Attack details
Wordence reported that its customers had suffered millions of attacks, and the company stopped as many as 5.9 million attack attempts on May 14, 2022. In the following days, the number of attacks declined, but vulnerability utilization remained at a high level.
Attacks detected and blocked by Wordence
Threat participants try to inject malware dropper into the "wp content/uploads/typehub/custom/" directory subfolder to make it a hidden file. The Dropper is named ". sp3ctra_XO. php", and the MD5 hash value is 3708363c5b7bf582f8477b1c82c8cbf8.
Extended file checking skipped hidden files
Wordence reported that more than one million attacks only came from three IP addresses: 148.251.183 [.] 254, 176.9.117 [.] 218 and 217.160.145 [.] 62. Website administrators should add these IP addresses to the block list. To avoid the attack risk, it is recommended that all users of the Tatsu Builder plug-in upgrade it to version 3.3.13.
Chris Olson, CEO of The Media Trust, a mobile and network security company Said: "When it comes to network security, most organizations seldom consider their websites. Tatsu vulnerabilities show us why this is wrong. Websites play a key role in marketing and revenue generation. They are increasingly becoming the target of hackers and the source of risk for customers and temporary visitors."
Olsen pointed out that as a preventive measure, anyone who manages the organization's website should regularly maintain it, including updating plug-ins and security patches. "If it runs WordPress or other open source CMS that heavily relies on third-party code, it should be even more so, because these are the main drivers of risk."
