A large scale attack has hit more than 50,000 websites, the attacker exploited a recently patched vulnerability in a popular plugin for the WordPress CMS. Early July, experts at security firm Sucuri discovered that websites running WordPress and MailPoet plugin were vulnerable to cyber attacks which allow bad actors to gain total control over targeted WorldPress instances.
MailPoet is a very popular plugin with more than 1.7 million downloads, as explained by experts at Secury, the exploitation of the flaw allows attackers to upload any file of their choice to vulnerable servers.
“An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.” reported blog at Sucuri.
In the three weeks since the disclosure of the flaw, the attackers have exploited the flaw to install a backdoor on a huge quantity of systems, ranging from 30,000 to 50,000 websites, despite some of them don’t run WordPress CMS or don’t have MailPoet enabled.
“To be clear, the MailPoet vulnerability is the entry point,” “It doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.” wrote Daniel Cid, CTO & Founder of Sucuri, in a blog post.
As explained in the blog, the experts have identified a specific pattern related to the attacks, the attackers start trying to upload a custom and malicious theme to the targeted site:
220.127.116.11 - - [05/Jul/2014:01:41:30 -0700] "POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://site.com.com/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0"
At this point the attacker has the full control of the site accessing the backdoor located in /wp-content/uploads/wysija/themes/mailp/:
18.104.22.168 - - [05/Jul/2014:01:41:31 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "Mozilla/5.0" 22.214.171.124 - - [05/Jul/2014:04:08:16 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"
“The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.” said the blog post.
As explained by expert at Sucuri, the malware injection tries to compromise all PHP files on the targeted server, this means that compromising a single website hosted on the machine using MailPoet it is possible to extend the infection to any other websites on the system. This means that shared hosting are particularly exposed to such kind of attacks, with serious consequences.
“We had a client that all his 20+ sites got injected, because one site inside the same shared account had MailPoet on it. That’s why we were seeing Joomla and Magento sites with the same malware as well. Took us a bit of time to connect all the dots and find the entry point on them.” explained Sucuri representative to Art Technica.
If you have installed MailPoet on your WordPress don’t waste time … hurry up and update it!
Security Affairs – (WordPress, privacy)