This threat report is about a recent surge in two types of attacks against websites running the WordPress content management system (CMS).
WordPress is the most popular CMS and runs on millions of websites. Over the past six weeks, sources have reported increased malicious traffic against WordPress sites.
Wordfence, a popular WordPress endpoint firewall solution, appears to have detected the initial increase as detailed on a blog post from May 5th, 2020. The threat actor behind these attacks is currently unknown, though a single entity appears responsible.
Cross-site scripting (XSS) is the primary technique used by the threat actor.
Once the backdoor is uploaded, it may be used for a web shell. This could allow the attacker opportunity for lateral movement within your network.
Wordfence noted the WordPress “Newspaper” theme and these four plugins were the most targeted for this XSS attack: Easy2Map, Blog Designer, WP GDPR Compliance, and Total Donations.
In addition to XSS attacks, the same threat actor has more recently attempted a less complex attack to gain access to database credentials. This is done by downloading the “wp-config.php” file through directory traversal, which is part of every WordPress installation. This file contains information needed for the site to run, including credentials to authenticate with the site’s MySQL database, database name and host, keys, and salts.
With this information, a bad actor could easily manipulate the database for malicious purposes.
We recommend the following steps to defend against these WordPress attacks:
Update to WordPress Core 5.4.2 (https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/) which patches known XSS vulnerabilities.
Supporting links found through other resources: https://www.welivesecurity.com/2020/05/06/almost-million-wordpress-websites-targeted-campaign/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!