Another day, another hacking activity has been flagged by a group of security researchers. This time, they were able to detect a hacking campaign that leverages and exploits certain vulnerabilities in WordPress plug-ins in order to redirect a victim’s URL to a malware-infested website.
The team of cybersecurity researchers from WordFence’s Threat Intelligence division has uncovered an active attack campaign targeting a selection of new and old WordPress plug-in vulnerabilities. According to the blog post in WordFence, the attackers are maliciously sending the websites of the victims to “a number of potentially harmful locations.”
Wordfence said that the attackers are targeting publicly known vulnerabilities in several WordPress plug-ins. They noted that while some of those plug-ins have existing firewalls to prevent malicious actors from attacking certain vulnerabilities, the firewalls in at least two of the said plug-ins are are only available to premium users.
The campaign targets and attacks flaws in WordPress plug-ins developed by the developer NicDark (now renamed as “Endreww”), such as a plug-in called Simple 301 Redirects – Addon – Bulk Uploader, the security researchers said.
The researchers noted that while several individual plug-ins are affected, the vulnerability is the same across each and they are covered by a single firewall rule.
“Affected plug-in slugs are prefixed with nd-. Example plug-ins include Components For WP Bakery Page Builder (slug: nd-shortcodes), Booking (slug: nd-booking), Travel Management (slug: nd-travel), etc.,” the blog disclosure reads.
The blog reveals that a firewall rule has been rolled out, but only for Premium users, since July 30. This means that free users are still vulnerable to the attacks until now. However, the same blog also notes that the developer is planning to release the same firewall for free users on August 29.
“Each of these plug-ins has updates available which resolve the vulnerabilities. All WordPress users, regardless of firewall status, are advised to keep their plug-ins up-to-date at all times,” the researchers said.
What happens during the attack?
Researchers revealed through their investigation that the attackers targeting the vulnerabilities in NicDark’s plug-ins all are all exploited by very similar AJAX requests, which “registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors.” This way, according to the security researchers, could allow unauthorized access to import various WordPress settings without the site’s owner’s consent or knowledge.
Because the attack could allow unauthorized access to perform arbitrary WordPress operations, it is possible that attackers could also grant themselves Admin access to the site. However, they noted that such actions were not performed in the specific attack campaign in question. Instead, according to the cybersecurity researchers, the attackers are modifying the site URL setting of the victim’s site. A subsequent request would then make the same change for the home setting.
The result of this modification is that all of the victim site’s scripts will attempt to load relative to that injected path; meaning it will redirect the URL to another site. For example, when users try to load www.forexample.com, visitor’s browser would open the site that was injected by the hackers in lieu of the original site.
Where are they sending the victims’ sites to?
Attackers are said to be using different domains to redirect victims’ sites to. The following domain is just some of where the attackers are sending the victims’ URL:
Furthermore, there are plenty of IP addresses that the researchers were able to link to the attack campaign. The top 20 IP addresses are listed below:
Additionally, addresses listed in the bold text appear in the list of IPs Attacking Most Sites, the researchers noted.
The researchers emphasized that the current vulnerabilities have already been patched by the plug-in developer and urged users to make sure that they have updated their plug-ins to the newest version. They added that their investigation on the attack campaign is still ongoing and promised to continue with their study in order to zero in with the perpetrators.
“Our investigation into these attacks is ongoing. We will continue to track further changes in the campaign’s infrastructure and will provide followup reports as necessary,” they added.