Threat actors have reportedly hacked WordPress sites to deliver malware (NetSupport RAT and Raccoon Stealer) by displaying fraudulent Cloudflare DDoS protection pages.
Distributed Denial-of-Service (DDoS) protection pages are critical browser verification checks that seek to prevent unwanted bot-driven and malicious traffic from using up bandwidth and rendering websites inaccessible.
How it works
The attack vector aims at controlling WordPress sites so that it exhibits fake DDoS protection prompts. When users select these prompts, malicious ISO file (security_install.iso) are downloaded onto the victims device.
The file is reported to be a remote access trojan referred to as NetSupport RAT and is linked to the FakeUpdates, also referred to as SocGholish, malware family. It also clandestinely installs Racoon Stealer, a trojan designed to steal victims credentials.
Website owners are advised to:
place their sites behind firewall Firewalls aid in monitoring network traffic, stop virus attacks, prevent hacking, stop spyware and promote privacy.
apply two-factor authentication (2FA)- Two-factor authentication provides an added layer of security which makes it difficult for threat actors to access user accounts.
Users who visit the website should:
enable two-factor authentication (2FA) As mentioned above, two-factor authentication provides an added layer of security which makes it difficult for threat actors to access user accounts.
steer clear of accessing suspicious files Accessing these files may execute a program that could damage or steal critical data.
The theme files of WordPress sites were discovered to be the most common infection point in the campaign. As such, Admins are advised to review these files.
It should be noted that downloading ISO files are not legitimate anti-DDoS procedures. If downloaded accidentally, do not un-pack or run their contents.
The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.
PDF Download: WordPress Sites Hacked.pdf
Lakshmanan R. (24th of August, 2022) Hackers Using Fake DDoS Protection Pages to Distribute Malware. Retrieved from The Hackers News.
Toulas B. (20th August, 2022) WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware Retrieved from BLEEPINGCOMPUTER.
Firewall Benefits: The Importance of Firewall Security. Retrieved from Fortinet.
Back to Basics: Multi-Factor Authentication (MFA). Retrieved from NIST Applied Cybersecurity Division