A zero-day vulnerability was recently discovered in a popular WordPress plugin. Now, taking advantage of the bug, cyber criminals have started protecting the compromised websites from attacks by other threat actors.
The vulnerability was first discovered by the security company Defiant, which recorded attacks on over 1.7 million WordPress sites with vulnerable versions of the file manager plugin installed. In the past week, however, the number of sites attacked rose to over 2.6 million.
If the flaw is exploited, attackers could upload malicious PHP files and execute arbitrary code on WordPress sites that have not been updated to the latest version of File Manager.
With the release of File Manager 6.9, the developers of the plugin created and published a patch for the vulnerability. Unfortunately, many website owners still need to update to the latest version of the plugin, which leaves their websites vulnerable to attack.
Defense of Hacked WordPress Sites
Several cyber criminals are currently targeting websites that are running vulnerable versions of the file manager plug-in, according to a new report from Defiant. However, Wordfence QA engineer Ram Gall stated that two of these attackers have started defending the websites they hacked, saying:
“We saw evidence that multiple threat actors were involved in these attacks, including minor efforts by the threat actor who previously attacked millions of websites. However, two attackers were the most successful in exploiting vulnerable websites, and at this point both attackers are password-protecting compromised copies of the connector.minimal.php file. “
One of the attackers looking into Bajatax is a Moroccan threat actor known for stealing user credentials from PrestaShop ecommerce websites. After compromising a WordPress site, bajatax inserts malicious code that collects user credentials by telegram when a website owner logs in, and those credentials are then sold to the winning bidder. The other threat actor adds a backdoor disguised as an .ico file in a random folder and in the site̵
Defiant has observed that both threat actors use passwords to protect the exploitable connector.minimal.php file on websites they previously infected. Gall provided more details on how these two threat actors are defending WordPress sites that they have compromised, saying:
“Our site cleanup team has cleaned up a number of sites affected by this vulnerability. In many cases, malware from multiple threat actors is present. The above threat actors have been by far the most successful because of their efforts to exclude other attackers. And share several thousand IP addresses for their attacks. “
Owners of WordPress websites that have the file manager plugin installed should upgrade to version 6.9 immediately to avoid falling victim to potential attacks, especially now that cyber criminals have stepped up their efforts.