Recent surge in two WordPress attacks

Overview of WordPress Attacks on the Rise

This threat report is about a recent surge in two types of attacks against websites running the WordPress content management system (CMS).

WordPress is the most popular CMS and runs on millions of websites. Over the past six weeks, sources have reported increased malicious traffic against WordPress sites.

Wordfence, a popular WordPress endpoint firewall solution, appears to have detected the initial increase as detailed on a blog post from May 5^th, 2020. The threat actor behind these attacks is currently unknown, though a single entity appears responsible.

WordPress Attacks Tactics, Techniques, and Procedures

First Type of WordPress Attack

Cross-site scripting (XSS) is the primary technique used by the threat actor.

Malicious JavaScript code is uploaded to the site and used to redirect website visitors. The code executed checks for WordPress login cookies. If the user is logged in as an administrator of the site, a PHP backdoor is uploaded to the current running WordPress theme, giving the threat actor full access to the site.

Once the backdoor is uploaded, it may be used for a web shell. This could allow the attacker opportunity for lateral movement within your network.

Wordfence noted the WordPress “Newspaper” theme and these four plugins were the most targeted for this XSS attack: Easy2Map, Blog Designer, WP GDPR Compliance, and Total Donations.

Second Type of WordPress Attack

In addition to XSS attacks, the same threat actor has more recently attempted a less complex attack to gain access to database credentials. This is done by downloading the “wp-config.php” file through directory traversal, which is part of every WordPress installation. This file contains information needed for the site to run, including credentials to authenticate with the site’s MySQL database, database name and host, keys, and salts.

With this information, a bad actor could easily manipulate the database for malicious purposes.

How The WordPress Attacks Affect You

• Compromise of administrator and/or database credentials.
• May lead to sensitive data exfiltration or loss.

Recommendations for Stopping These WordPress Attacks

We recommend the following steps to defend against these WordPress attacks:

• Ensure any WordPress sites and plugins are updated. Outdated WordPress installations are a very common attack vector.
• Uninstall any plugins no longer in use.
• Ensure any user input is properly validated to prevent directory traversal. See https://portswigger.net/web-security/file-path-traversal for more information on these attacks.
• If possible, configure your MySQL instance to limit remote connections to only specific IP addresses/ranges or users. This will prevent bad actors from connecting with compromised credentials.
• As a precaution, you may want to change your WordPress MySQL database password as well as the keys/salts in the “wp-config.php” file to ensure an attacker would be unable to use them if previously compromised. This can be done manually or through a plugin, if preferred. See https://www.malcare.com/blog/wordpress-salts/ for a detailed guide.
• Review your environment for the below Indicators of Compromise (IOC) from Wordfence.
• Consider also blocking the IP addresses listed below at your firewall.

Patches

Update to WordPress Core 5.4.2 (https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/) which patches known XSS vulnerabilities.

IOCs

• Strings
  • hjt689ig9
  • trackstatisticsss

• IP Addresses
  • 200.25.60.53
  • 51.255.79.47
  • 194.60.254.42
  • 31.131.251.113
  • 194.58.123.231
  • 107.170.19.251
  • 188.165.195.184
  • 151.80.22.75
  • 192.254.68.134
  • 93.190.140.8
  • 185.189.13.165
  • 198.154.112.83
  • 89.179.243.3
  • 132.148.91.196
  • 104.236.133.77
  • 188.166.176.210
  • 77.238.122.196
  • 74.94.234.151
  • 188.166.176.184
  • 68.183.50.252

Additional Resources for Protecting Against the WordPress Attacks

External Sources

• https://exchange.xforce.ibmcloud.com/collection/Attack-Campaign-Targeting-WordPress-Database-Credentials-ad880bda3a737b2422a83e5a9a421ab0
• https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/
• https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-database-credentials/

Supporting Documentation

• MITRE Mapping(s)
  • Initial Access: https://attack.mitre.org/tactics/TA0001/
    • Drive-by Compromise: https://attack.mitre.org/techniques/T1189/
  • Credential Access: https://attack.mitre.org/tactics/TA0006/
    • Steal Web Session Cookie: https://attack.mitre.org/techniques/T1539/
  • Impact: https://attack.mitre.org/tactics/TA0040/
    • Stored Data Manipulation: https://attack.mitre.org/techniques/T1492/
  • Persistence: https://attack.mitre.org/tactics/TA0003/
    • Web Shell: https://attack.mitre.org/techniques/T1100/

Supporting links found through other resources: https://www.welivesecurity.com/2020/05/06/almost-million-wordpress-websites-targeted-campaign/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities.