Posted on: August 24, 2018 View Alerts

Overview

 

To all website customers using WordPress, Please be advised of a Redirect campaign vulnerability in specific themes and ultimate member plugins.

Symptom: Your website loads but upon loading it immediately redirects to http://murieh.space or https://unverf.com. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behaviour

Affected WordPress Plugin: Ultimate Member Plugin: a fake image is uploaded, usually an image file with added PHP code. The hackers then uses this file to create a backdoor to inject a variety of malicious code into files on the server. The attack is carried out by malware scripts injected from one of two sites with one being used in the initial stages of the campaigns and the other being introduced about a week later. Researchers said successful infections will be limited to files that belong to one server account.

Impact: If the account has more than one site, all the sites will be infected even if they don't have the Ultimate Member plugin or any vulnerable components in addition non-WordPress sites can also be infected in this process.
Preventative and Corrective Actions: update all themes and plugins, clean and harden all the sites that share the same server account, and delete all PHP files in subdirectories under wp-content/uploads/ultimatemember/temp/ (disable execution of PHP files in this folder) in case of Ultimate Member exploitation.

For elaborate technical details on corrective actions please see the link https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html
Alternatively, you may also contact the NDMA for assistance.