A zero-day vulnerability was recently discovered in a popular WordPress plugin and now cybercriminals exploiting the flaw have begun to protect the sites they’ve compromised from attacks launched by other threat actors.
The security flaw was first discovered by the security firm Defiant who recorded attacks on over 1.7m WordPress sites that had vulnerable versions of the File Manager plugin installed. However, in the past week, the number of sites attacked has increased to over 2.6m.
If exploited, the flaw allows attackers to upload malicious PHP files and execute arbitrary code on WordPress sites that have not updated to the latest version of File Manager.
The plugin’s developers created and put out a patch for the vulnerability with the release of File Manager 6.9. Unfortunately though, many site owners have yet to update to the latest version of the plugin which has left their sites vulnerable to attacks.
Defending hacked WordPress sites
Multiple cybercriminals are currently targeting sites running vulnerable versions of the File Manager plugin according to a new report from Defiant. However, Wordfence QA engineer Ram Gall explained that two of these attackers have begun to defend the sites they’ve hacked, saying:
“We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php file.”
One of the attackers, who goes by the handle bajatax, is a Moroccan threat actor who is known for stealing user credentials from PrestaShop e-commerce websites. After compromising a WordPress site, bajatax then injects malicious code which harvests user credentials via Telegram when a site owner logs in and these credentials are then sold to the highest bidder. The other threat actor injects a backdoor, camouflaged as an .ico file, into a randomized folder as well as the site’s webroot to ensure that they can continue to access the compromised site.
Defiant has observed both threat actors using passwords to protect the exploitable connector.minimal.php file on sites they’ve previously infected. Gall provided further details on how these two threat actors are defending WordPress sites they’ve compromised, saying:
“Our site cleaning team has cleaned a number of sites compromised by this vulnerability, and in many cases, malware from multiple threat actors is present. The aforementioned threat actors have been by far the most successful due to their efforts to lock out other attackers, and are collectively using several thousand IP addresses in their attacks.”
WordPress site owners that have the File Manager plugin installed should update to version 6.9 immediately to avoid falling victim to any potential attacks, especially now that cybercriminals have stepped up their efforts.