Hackers Launching Massive Cyber Attack on 900,000 Websites To Inject Backdoor

Recently, more than 900,000 WordPress websites have been attacked by hackers, simply to redirect each and every visitor to malvertising sites, and not only that, even they have also set a backdoor if an administrator tries to log-in.

This cyber-attack occurred on April 28, 2020, and suddenly it rose above in the next few days nearly 30 times the average volume they saw in their attack data.

Researhers also stated that this whole attack carried by a single hacker, and he/she used nearly 24,000 IP addresses over the past month to convey malicious offers to more than 900,000 sites.

Wordfence Threat Intelligence Team stated regarding the conflict that they have been tracking an unexpected expansion in attacks that are continuously targeting the Cross-Site Scripting (XSS) vulnerabilities.

Targets

During the whole attack, the actor has used various targets, and several targeted vulnerabilities were already attacked in some previous campaigns. Here are the most popular targeted vulnerabilities:-

  • An XSS vulnerability in the Easy2Map plugin, that was removed from the WordPress plugin repository in August 2019, and according to the reports, it is installed on less than 3,000 sites. Moreover, this flaw simply deemed more than half of all of the attacks.
  • An XSS vulnerability in Blog Designer was also patched in 2019, and this vulnerability was one of the targets of previous campaigns. Apart from this, currently, this vulnerable plugin has no more than 1,000 vulnerable installations.
  • An options update vulnerability in WP GDPR Compliance patched in late 2018 that allows the attackers to change the site’s home page URL along with other options. This plugin has more than 100,000 installations, and according to the reports, it has no more than 5,000 vulnerable installations remain.
  • An option update vulnerability in Total Donations and this flaw also allows attackers to change the site’s home URL just like the above one. But, in early 2019, this plugin was removed permanently from the Envato Marketplace, and currently, it has less than 1,000 installations remain.
  • An XSS vulnerability in the popular and one of the most used WordPress themes, Newspaper, was patched in 2016, and the most fascinating thing is that this vulnerability was targeted in the past.

Breaking Down the Attack Data

Most of these attacks tried to inject various malicious javascript that are generally placed at count[.]trackstatisticsss[.]com/STM. Next, these are put into a site in a manner that they will be executed by an administrator’s browser. But there are few cases where they use the common URI of the malicious script, whereas others simply rely on String.fromCharCode to confuse the inserted script section.

They generally used different types of payload in various conflicts, thus in the backdoor, they downloaded different payload from https://stat[.]trackstatisticsss[.]com/n.txt, base64_decodes it, after that they keep it in a temporary file|htht|, it tries to administer it by adding it in the theme header and then extracts the temporary file.

Attackers simply utilized this method, as it allows them to maintain the control of the site, as they could easily adjust the contents of the file a thttps://stat[.]trackstatisticsss[.]com/n.txt.

What should I do?

Now, most of the victims get confused as they don’t have the exact idea to deal with this situation. Thus the very first thing the victim can do is to maintain the plugins simply by keeping them up to date and remove the plugins that are withdrawn from the WordPress plugin repository. Well, in most of the situations, they attack the vast majority of targeted vulnerability that are covered for months or year ago.

But, there are no attacks that are related to the latest version of any recently available plugins. Thus, if you are managing a Web Application, then firewalls can likewise help you to defend your site against any vulnerabilities that may not have been patched yet.

Apart from this, Wordfence has clearly suggested that hackers are advanced enough to produce new ventures and are expected to turn to other vulnerabilities in the future. That’s why they have strongly recommended the owner of the WordPress website to update there themes and plugins that they have installed on their sites.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Also Read:

Hackers Are Exploiting These Web Application Vulnerabilities to Install Persistent Backdoor – NSA

Russian Hackers Group Behind “TrickBot” Developed Advanced Fileless Backdoor “PowerTrick” To Attack High Profile Targets

TA505 Russian Hacking Groups Attack banks and Financial Organizations In Europe

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.