Categories: Breaking NewsCyber CrimeMalware

Thousands of WordPress sites hacked by exploiting a flaw in RevSlider plugin

Cybercriminals have been leveraging a vulnerability in a popular WordPress plugin to redirect the visitors of thousands of websites to exploit kits, a researcher has warned.

Security experts at Germany’s Computer Emergency Response Team (CERT-Bund) and Yonathan Klijnsma reveals that at least 3,000 websites have been compromised by attackers exploiting a known vulnerability in the Slider Revolution (RevSlider) plugin. Once again, a WordPress plugin is used hack into a website, this flaw was fixed silently by the developmet team in February 2014, but the existence of the vulnerability came to light in September 2014, when it was exploited worldwide by criminal crews. Cyber criminals exploiting the flaw in RevSlider plugin to hijack thousands of websites running the vulnerable version.

In December 2014, experts at Sucuri firm reported that more than 100,000 WordPress websites had been compromised and used to serve the SoakSoak malware.

“Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.” reported Sucuri. “The impact seems to be affecting most hosts across the WordPress hosting spectrum. Quick breakdown of the decoding process is available via our PH

Returning to the present day, the RevSlider vulnerability is being exploited once again by bad actors that have been injecting malicious iframes on vulnerable websites in an effort to redirect visitors to domains hosting exploit kits.

Yonathan Klijnsma detailed the attack chain in a blog post, the cyber criminals compromised the websites by exploiting a local file inclusion (LFI) vulnerability. The exploitation of the LFI flaw allows attackers to access server file system, then the attackers create a new administrator account, upload a malicious script and complete the attack by installing backdoors to files associated with other WordPress plugins.

Investigation on one of the compromised sites shows the attackers performed the following steps:

RevSlider was abused to add an extra Administrator account
The attacker uploaded a script called ‘smart.php’
Edited 3 files in the WordPress installation; 2 files inside other plugins were backdoored with a code execution backdoor and the WordPress ‘nav-menu.php’ file was modified

Typically, attackers redirected victims to websites hosting the popular Fiesta exploit kit, but Klijnsma explains that they also used the Angler exploit kit for the malicious campaign.

The exploit kits are used several strain of malware, including the popualr Cryptowall 3.0 ransomware, financial trojans, and ad fraud malware.

“It just depends who rents ‘loads’ on these instances,” explained Klijnsma.

The attackers hosted the exploit kits through domains that are all hosted at dynamic DNS providers and have all been set to a short Timt To Live.

The CERT-Bund collected precious information to profile the hacking campaign, over half of the compromised websites are .com and the majority of them is hosted in the United States. The campaign also involved websites in the Netherlands, Germany, France, Spain, the United Kingdom, Italy, Poland, Canada and Singapore.

Klijnsma suggests to administrators whose websites have been compromised to remove all accounts and create new ones with new passwords because the attackers have gained administrative access to the site compromising all the accounts the moment of the attack.

“Check all PHP files for modifications by comparing them to files from the official WordPress website (or own local copies if you are 100% sure they are unaffected). Any modified files should be replaced with the normal ones,” suggested Klijnsma .

As mitigation action, it is suggested to update the RevSlider plugin to the latest version. Be careful because many themes include the popular plugin, this means that your website could be vulnerable without your knowledge, in this case use the patch for RevSlider available on the official WordPress website.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – RevSlider, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.