Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month.
However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.
Change of tactics
In the first instance, the malicious code with which sites were injected was meant to show pop-up advertisements. Visitors were also redirected to rogue websites.
But according to Veenstra, the hackers changed their code on 20 August. As a result, the code is now also able to check whether a visitor has the rights to create user accounts on the site.
The moment someone with admin rights logs in, the code creates a new admin account unnoticed. For this, the email address of wpservices@yandex.com
and the password w0rdpr3ss
are used.
The hackers can then use this admin account as a back door for later use.
11 plugins abused
So far, the hackers seem to be focusing on old vulnerabilities in 11 plugins. A few months ago it became known that Yuzo Related Posts and WP Live Chat Support were not secure. In addition, the following plugins are also affected:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Visual CSS Style Editor
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (including nd-booking, nd-travel and nd-learning).
Updates & Security precautions
The plugin developers have since released patches that repair the vulnerabilities. But there are still quite a few users who do not use the latest version of the plugins mentioned above. So they are still in danger.
In addition to updating plugins to the most recent version, admins are advised to check the user accounts on their website. If it is found that there are unknown admin accounts, these must be deleted immediately.
Subsequently, it is important to verify the files to ensure that there are no backdoors. If you are unsure, it is best to restore a backup.
Non-technical users who find that unauthorized access to their website has been obtained are advised to hire a security consultant who can assist with the clean-up of your WordPress website.