Researchers found that an ongoing malicious attack against millions of WordPress websites aims to use backdoors and various WordPress plug-in vulnerabilities for infection.
According to wordpress statistics, the wordpress content management system provides nearly 60 million websites, and developers around the world have installed hundreds of wordpress plug-ins.
Network criminals start the load by taking advantage of the vulnerabilities in some of the most popular WordPress plug-ins and injecting malicious scripts into the unpatched WordPress website.
This new activity aims to attack millions of WordPress websites to fully control and redirect visitors to malicious websites, where attackers provide malware downloads and add backdoors.
Researchers from WordFence's latest survey found that the initial malware attacks from many IPs were associated with a network hosting provider.
Open Phoenix News to view more HD pictures
Shortly afterwards, they found that only one IP address was related to the ongoing malware activity and was associated with the Rackspace server, which hosted some attacked websites.
Attackers use wordpress plug-ins to add backdoors
Many popular WordPress plug-ins are carrying out this activity, and new vulnerabilities have also been added to the target list.
Recently, Nintendo warned wordpress users that a vulnerability was found in the bold page generator plug-in installed on more than 20000 wordpress websites. Attackers actively exploit this vulnerability to destroy websites supported by wordpress.
According to WordFence, similarly, following the famous WordPress plug-in, this new activity is also actively targeting.
Bold Page Builder
Blog Designer
Live chat with Facebook Messenger
Yuzo related position
Visual css style editor
Wp real-time chat support
Form lightbox
Mixed composer
All previous nicdark plug-ins (nd booking, nd travel, nd learning, etc.)
Unfortunately, if any vulnerabilities to attack new targets are exposed in the near future, the threat behavior will continue to update this activity.
At the initial stage of the study, researchers found that attackers injected malicious scripts, redirected visitors to malicious websites and pushed unwanted pop-up windows.
However, the new round of activities infected the vulnerable WordPress, making it take advantage of the management session and control the website.
Attackers avoid detection by WAF and IDS software by injecting ambiguous scripts.
The java load provided by this activity can allow an attacker to create a new administrator account, and the attacker can freely install more backdoors or perform other malicious activities.
(Translated from gbhackers)
