- 3,010
- 281
- 1,730
Experts have documented a massive malware campaign targeting WordPress sites.
Wordfence specialists warned of a new large-scale malicious campaign aimed at sites running WordPress. Over the past seven days alone, attackers tried to hack about 1 million sites.
The campaign began on April 28, 2020, and within a few days the amount of malicious traffic recorded by Wordfence exceeded the usual rates by 30 times. Judging by the payload that the attackers are trying to implement on the attacked sites, the same cybercriminal group is behind most attacks. The payload is malicious JavaScript code that redirects users to malicious resources and uses an administrator session to inject a backdoor into the theme header.
In addition, attackers exploit long-known vulnerabilities that allow changing the home URL of a site to the same domain that is used in the XSS payload to redirect visitors to sites with malicious advertising. The most popular vulnerabilities are cross-site scripting in the Easy2Map plugin, Blog Designer (both fixed in 2019) and the Newspaper theme (fixed in 2016), as well as updating options in WP GDPR Compliance (fixed in 2018) and Total Donations (fixed in 2019).
According to Wordfence, in the past this group carried out much smaller cyber attacks, but recently it has significantly increased activity - in just one day on May 3, experts recorded more than 20 million attempts to hack over half a million sites. Over a month, more than 24 thousand IP addresses were identified that sent requests that coincided with attacks on 900 thousand sites.
__________________
Wordfence specialists warned of a new large-scale malicious campaign aimed at sites running WordPress. Over the past seven days alone, attackers tried to hack about 1 million sites.
The campaign began on April 28, 2020, and within a few days the amount of malicious traffic recorded by Wordfence exceeded the usual rates by 30 times. Judging by the payload that the attackers are trying to implement on the attacked sites, the same cybercriminal group is behind most attacks. The payload is malicious JavaScript code that redirects users to malicious resources and uses an administrator session to inject a backdoor into the theme header.
In addition, attackers exploit long-known vulnerabilities that allow changing the home URL of a site to the same domain that is used in the XSS payload to redirect visitors to sites with malicious advertising. The most popular vulnerabilities are cross-site scripting in the Easy2Map plugin, Blog Designer (both fixed in 2019) and the Newspaper theme (fixed in 2016), as well as updating options in WP GDPR Compliance (fixed in 2018) and Total Donations (fixed in 2019).
According to Wordfence, in the past this group carried out much smaller cyber attacks, but recently it has significantly increased activity - in just one day on May 3, experts recorded more than 20 million attempts to hack over half a million sites. Over a month, more than 24 thousand IP addresses were identified that sent requests that coincided with attacks on 900 thousand sites.
__________________