More and more hackers use the latest security vulnerabilities found recently in WordPress plugins attack. Cybercriminals are targeting those website owners who fail to update their plugins and still use old versions of vulnerable versions.
Several groups of hackers do it. For now, security experts know at least two groups who are attacking unpatched versions of Profile Builder, ThemeGrill Demo Importer, and Duplicator plugins.
These are quite popular plugins installed on numerous websites. It is estimated that there are several hundreds of thousands of websites that risk being exploited because their owners failed to update those three plugins.
All of the above-mentioned plugins share one common thing. Security researchers have recently shared reports about critical security bugs found in these plugins that could lead to website compromise.
One of the adversaries that security experts call Tonyredball gets access to WP websites that have a vulnerable version of:
ThemeGrill Demo Importer (below version 1.6.3) The flaw allows any user to log in like an admin and wipe the entire database.
Profile Builder (below version 3.1.1) The bug allows unauthenticated users to get admin privileges too.
Security experts from Defiant point out that the Tonyredball group exploits the admin registration bug in Profile Builder plugin using web requests containing the email and username of the new admin account.
At the same time, experts believe that this hacker group is engaged in many other attacks that exploit the database deletion bug found in the ThemeGrill Demo Importer plugin.
The reason for the mass exploitation of ThemeGrill Demo Importer is probably the ease of doing it. It only requires attackers to send a request to a vulnerable site attack through WordPress plugins. And in the case of Profile Builder, attackers would need to put in more serious efforts since they should find the vulnerable form first.
The final result of exploiting both vulnerabilities is getting administrative privileges and the ability to access the victim’s website. Once access is obtained, with the help of the theme and plugin uploaders, hackers upload their malicious scripts into the WordPress dashboard.
The threat actors utilize multiple types of scripts that are associated with such filenames as wp-block-plugin.php, blockspluginn.php, supersociall.php, and wp-block-plugin.php.
After the initial exploitation, attackers deliver additional payloads intended to infect more files and get a wider presence on the site. In addition, researchers observed that malware authors start to look for other WP sites that are vulnerable to the same exploitation method.
At the present moment, this redirect is easy to spot and not sophisticated, but the malefactors may modify their script to be much sneakier.
In one case, visitors were redirected to a website called Talktofranky that requested to press Allow on the browser notification pop up, in order to prove they are real people and not bots. If visitors did so, they permitted the site to send various notifications, including spam.
This may look like a minor threat but owners of Mac devices that are not easy to hack often fall victim to such tricks. For example, users found themselves redirected to rogue sites like A.akamaihd.net.
Security researchers found a discussion on one of the online forums dedicated to this situation, suggesting that there are quite a few victims.
What is interesting, all the attacks of the Tonyredball group originate from a single IP -126.96.36.199. It is located Estonia and allocated to the local hosting provider called GMHost. This provider is well known for its poor policies that attract many cybercriminals to host there. This provider just does not react to complaints.
It is not very clear how many WordPress websites can be hit because of vulnerable plugins. Researchers estimate that the Profile Builder plugin may be installed on around 37k sites and ThemeGrill Demo Importer on around 40k sites.
One more group which appears to be more sophisticated is called Solarsalvador1234. Researchers from Defiant named it so because it is the name of an email address often used in web requests that led to exploitation.
This threat actor also targets the two above mentioned plugins but in addition to them, the Solarsalvador1234 group has the Duplicator plugin on its list. This WordPress plugin helps to clone and migrate a website from one place to another. It has more than one million active installations!
Versions of Duplicator that are lower than 1.3.28 are reported to possess a security flaw that permits unauthenticated visitors to download different files from targeted websites.
This bug is often used to get the victim site’s configuration file – wp-config.php that stores user credentials to access the database. The main goal is to obtain extended and long-term entrance possibilities on the compromised website.
So, by exploiting those three security vulnerabilities, at the end of the day, attackers get full administrative access to victim websites. It is important to remind that those vulnerabilities are already publicly disclosed and patched.
In the case of the hack, website owners should blame themselves for not following security best practices and failing to update attack WordPress plugins in time. Based on recent stats security researchers believe that about 800k websites still run an unpatched version of Duplicator.
There are many reasons to believe that the above mentioned three vulnerable plugins are not the only ones that are being exploited.
Again, website owners should remember that once any security update is released, it should be their priority to install it as more and more hackers attack WordPress websites, quickly finding and exploiting all new and old security flaws.