Researchers at Defiant, the corporate behind the Wordfence safety plugin for WordPress web sites, have come throughout a malvertising marketing campaign that leverages not too long ago disclosed plugin vulnerabilities to inject malicious code into web sites.
The hackers have been utilizing flaws in WordPress plugins equivalent to “Coming Quickly and Upkeep Mode,” “Yellow Pencil Visible CSS Model Editor” and “Weblog Designer” to realize their targets. Every of those plugins has 1000’s or tens of 1000’s of energetic installations.
Victims are first redirected to a website that checks the kind of system they’re utilizing and, based mostly on that and different components, redirects them to considered one of a number of varieties of malicious or scammy locations, together with tech assist scams, shady pharma advertisements, and malicious Android APKs. In some instances, the exploit targets the person’s browser immediately and makes an attempt to persuade them to click on on varied issues.
The attackers have exploited saved cross-site scripting (XSS) vulnerabilities in Weblog Designer and Coming Quickly and Upkeep Mode, and an unauthenticated arbitrary choices replace weak spot within the Yellow Pencil plugin.
The Yellow Pencil flaw was first exploited in April, simply days after a researcher disclosed its particulars and printed a proof-of-concept (PoC). This vulnerability will be extremely helpful for attackers because it permits them to create new admin customers, enabling them to simply take management of a WordPress website.
“Nearly all of the XSS injection makes an attempt tracked throughout this marketing campaign have been despatched by IP addresses linked to fashionable internet hosting suppliers,” defined Defiant’s Mikey Veenstra. “With assaults sourced from IPs internet hosting a number of reside web sites, in addition to our personal proof of contaminated websites related to this marketing campaign, it’s possible the risk actor is utilizing contaminated websites to ship XSS assaults by proxy.”
Defiant’s weblog put up accommodates indicators of compromise (IoC) that may be helpful to defenders.
Associated: Zero-Days in WordPress Plugin Actively Exploited
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in pc methods utilized in electrical engineering.
Earlier Columns by Eduard Kovacs: