Threat actors target WordPress sites using vulnerable File Manager install

Experts reported threat actors are increasingly targeting a recently addressed vulnerability in the WordPress plugin File Manager.

Researchers from WordPress security company Defiant observed a surge in the number of attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager.

In early September, experts reported that hackers were actively exploiting a critical remote code execution vulnerability in the File Manager WordPress plugin that could be exploited by unauthenticated attackers to upload scripts and execute arbitrary code on WordPress sites running vulnerable versions of the plugin.

The File Manager plugin allows users to easily manage files directly from WordPress, it is currently installed on more than 700,000 WordPress sites.

The vulnerability was first discovered by Gonzalo Cruz from Arsys, the researcher also confirmed that threat actors are already exploiting the flaw to upload malicious PHP files onto vulnerable sites.

The vulnerability impacts all versions between 6.0 and 6.8 of the popular plugin.

The developers of the plugin have quickly patched the vulnerability with the release of versions 6.9.

Cruz shared his findings with WordPress security firm Wordfence and provided it a working proof of concept exploit for the flaw. The security firm confirmed the ongoing attack, its Web Application Firewall blocked over 450,000 exploit attempts during the last several days.

“The Wordfence firewall has blocked over 450,000 exploit attempts targeting this vulnerability over the past several days. We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x.”” Wordfence said.

“From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file. Here is a list of some of the files we are seeing uploaded:

• hardfork.php
• hardfind.php
• x.php”

Wordfence experts revealed that threat actors were trying to upload PHP files with webshells hidden within images to the wp-content/plugins/wp-file-manager/lib/files/ folder.

Now Wordfence researchers reveal that a few days after the vulnerability was addressed with the release of a patch multiple threat actors started targeting unpatched installs.

Over 1.7 million sites were targeted by hackers in a few days, and the number of attacks reached 2.6 million as of September 10.

“We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php file,” reads the analysis published by Wordfence.

According to the experts, the first threat actor observed targeting the vulnerability at scale is Moroccan attacker that goes online with the moniker “bajatax.” The threat actors modifies the vulnerable connector.minimal.php file to prevent further attacks, he was observed adding code to exfiltrate user credentials using the Telegram messenger’s API. The attackers added the malicious code to the WordPress core user.php file and, if WooCommerce is installed, two more files are modified to steal user credentials.

Experts also observed a second threat actor targeting vulnerable websites and protecting the connector.minimal.php file with a password to prevent other infections. This threat actor is using a consistent password across infections.

The attacker inserted two copies of the backdoor, with randomized filenames ending in _index.php, into the infected website, one in the webroot and the other in a randomized writable folder of the website. The attacker uses the backdoors to modify core WordPress files to add cryptominers and SEO spam to the vulnerable websites.

Experts monitored attacks originating from more than 370,000 separate IP addresses, with almost no overlaps between the IPs addresses involved in the attacks associated with the two most active attackers.

“If you or anyone you know has had a vulnerable version of the File Manager plugin installed, we urge you to scan your site for malware using a security solution such as Wordfence.” concludes the post. “If your site has been compromised by the “bajatax” threat actor, it is critical that you completely clean your site before contacting all of your users and advising them that their credentials may have been compromised, especially if you are running an e-commerce site.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, File Manager)

[adrotate banner=”5″]

[adrotate banner=”13″]