WordPress Targeted in Large-Scale Attack
NJCCIC Alert
Original Release Date: 5/8/2020
Summary
Wordfence threat intelligence analysts discovered a massive increase in attacks beginning April 28, 2020, exploiting Cross-Site Scripting (XSS) vulnerabilities in WordPress. The majority of attacks appeared to be the effort of a single threat actor who leveraged older vulnerabilities in an attempt to hijack an administrator's open session and inject a malicious JavaScript to establish a Hypertext Preprocessor (PHP) backdoor or create redirects to malvertising sites. This threat actor attacked over 900,000 sites using approximately 24,000 unique IP addresses over the past month, with over 20 million attempts on May 3 alone. Researchers warn that the threat actor may begin to develop new exploits for other vulnerabilities. In addition, new vulnerabilities have been discovered in WordPress affecting three e-learning plugins for which patches are available. This attack highlights the importance of regularly updating plugins.
Recommendations
The NJCCIC recommends users ensure WordPress plugins are up to date, delete plugins that have been removed from the WordPress repository, and enable a website application firewall (WAF) if possible. Technical details and indicators of compromise (IoCs) can be found in the Wordfence blog post.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.