WordPress-based websites under threat by Linux backdoor malware exploit (6th January 2023)

Ref# AL2023_03 | Date: Jan 6th 2023

Description 

A previously unidentified Linux malware strain that compromises weak systems is threatening WordPress websites by taking advantage of vulnerabilities in over twenty plugins and themes. 

Summary  

According to reports, if websites utilize older versions of these add-ons that do not have necessary patches, malicious JavaScripts are injected into the targeted web pages, causing visitors to be diverted to other websites when they click on any part of the attacked page. 

The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It is also capable of injecting JavaScript code retrieved from a remote server to redirect the site visitors to an arbitrary website of the attacker”s choice. 

According to Doctor Web, a second version of the backdoor was identified which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30. 

The targeted plugins and themes include – 

  • Easy WP SMTP 

  • WP GDPR Compliance 

  • Newspaper (CVE-2016-10972) 

  • Thim Core 

  • WP Live Chat Support 

  • Smart Google Code Inserter (discontinued as of January 28, 2022) 

  • Total Donations 

  • Post Custom Templates Lite 

  • Yuzo Related Posts 

  • Yellow Pencil Visual CSS Style Editor 

  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233) 

  • WP-Matomo Integration (WP-Piwik) 

  • ND Shortcodes 

  • WP Live Chat 

  • WP Quick Booking Manager 

  • Coming Soon Page and Maintenance Mode 

  • Hybrid 

  • Simple Fields 

  • Delucks SEO 

  • Poll, Survey, Form & Quiz Maker by OpinionStage 

  • Social Metrics Tracker 

  • WPeMatico RSS Feed Fetcher, and 

  • Rich Reviews 

  • Live Chat with Messenger Customer Chat by Zotabox 

  • Blog Designer 

  • Brizy 

  • FV Flowplayer Video Player 

  • WooCommerce 

  • Coming Soon Page & Maintenance Mode 

  • Onetone 

A second backdoor that uses a different command-and-control (C2) domain and an updated list of vulnerabilities affecting 11 more plugins, bringing the total to 30, was discovered, according to Doctor Web. 

It is unclear whether the alleged inclusion of a brute-force approach for WordPress administrator accounts is a holdover from an earlier version or a feature that has not yet been deployed in either form. 

Cybercriminals will even be able to successfully target some of those websites that utilize current plugin versions with fixed vulnerabilities if such a feature is added to subsequent versions of the backdoor. 

Remediation 

WordPress users are recommended to keep all the components of the platform up to date, including third-party add-ons and themes. It is also advised to use strong and unique logins and passwords to secure their accounts. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: WordPress-based websites under threat.pdf

References