Malicious WordPress Redirect Campaign Attacking Several Plugins

[djbaxter]

Malicious WordPress Redirect Campaign Attacking Several Plugins
by Mikey Veenstra, Wordfence
August 22, 2019

Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.

Vulnerable plugins:

• NicDark Plugins – Unauthenticated Arbitrary Options Update
  • Though several individual plugins are affected, the vulnerability is the same across each and they are covered by a single firewall rule.
  • Affected plugin slugs are prefixed with nd-. Example plugins include Components For WP Bakery Page Builder (slug: nd-shortcodes), Booking (slug: nd-booking), Travel Management (slug: nd-travel), etc.
  • Firewall rule released for Premium users on July 30, 2019
  • Available for Free users starting August 29. 2019
• Simple 301 Redirects Addon – Bulk Uploader <= 1.2.5 – Unauthenticated Options Update
  • Firewall rule released for Premium users on August 6, 2019
  • Available for Free users starting September 5, 2019

Each of these plugins have updates available which resolve the vulnerabilities. All WordPress users, regardless of firewall status, are advised to keep their plugins up-to-date at all times.

In addition to the primary two above, we have identified related attacks against a number of other formerly-vulnerable plugins, including (but not limited to):

• Woocommerce User Email Verification
• Yellow Pencil Visual Theme Customizer
• Coming Soon and Maintenance Mode
• Blog Designer

The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off.

Read more...

 

[djbaxter]

Ongoing Malvertising Campaign Evolves, Adds Backdoors and Targets New Plugins
by Mikey Veenstra, Wordfence.com
August 30, 2019

In July, we reported on a malvertising campaign which was distributing redirect and popup code through a number of public vulnerabilities affecting the WordPress ecosystem. As mentioned in the article, we’ve continued tracking this threat for new or changing activity.

Much of the campaign remains identical. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software.

One IP Address Is Issuing Most of the Attacks
During the initial investigation, we identified the attacks coming from a number of IP addresses linked to web hosting providers. Shortly after that post, most of the IPs involved ceased the activity. One IP address, however, has continued the attacks.

The IP address in question is 104.130.139.134, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back.

The plugins currently under attack in this campaign are:

• Bold Page Builder
• Blog Designer
• Live Chat with Facebook Messenger
• Yuzo Related Posts
• Visual CSS Style Editor
• WP Live Chat Support
• Form Lightbox
• Hybrid Composer
• All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)

The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor.

Read more...