Categories: Security

SoakSoak Malware Attacks WordPress Sites

The popular open-source WordPress blogging and content management system (CMS) is at risk from a vulnerable third-party plug-in that many users may not even realize they are running.

According to security firm Sucuri, the vulnerability may have already exposed more than 100,000 WordPress Websites to exploitation via malware known as SoakSoak.

Long tail

The actual vulnerability is in the RevSlider third-party plug-in, which is often bundled by WordPress theme developers in themes that WordPress site administrators can choose to install.

Sucuri first warned of vulnerabilities in the RevSlider plug-in in September, and an updated version of the plug-in has been available for months. It wasn’t until December 14 that a large-scale attack that abuses the RevSlider vulnerabilities emerged. The attack leverages the RevSlider vulnerabilities to connect with the SoakSoak.ru domain to load a JavaScript malware.

“This plug-in [RevSlider] has multiple vulnerabilities, and one of them allows anyone to upload a theme to the vulnerable site,” Daniel Cid, co-founder and CTO of Sucuri, explained to eWEEK. “Attackers are leveraging it to upload a backdoor that gives them control of the Website.”

Cid added that the vulnerability is not really an application permission issue, but rather it is more of an issue about a lack of access control on the upload functions.

Speedy

While some malware spreads with worm functionality that self-replicates, that’s not the case with the SoakSoak malware infection.

“It is spreading so quickly because this plug-in is integrated by many themes and most Webmasters are not even aware they have this plug-in in their sites,” Cid said. “We are not seeing a worm out of it, just a massive scanning looking for vulnerable hosts.”

The simple truth of the matter is that there are WordPress sites that are running out-of-date third-party plug-ins.

“The main issue is the lack of awareness from Webmasters that have been using an unpatched plug-in for months,” Cid said. “If they had updated or taken the proper security steps, like installing a Website firewall or hardened their sites, they would have been safe.”

The issue of out-of-date third-party plug-ins representing a risk to WordPress sites is not a new one. In July, Sucuri warned of potential malware infections that leveraged an out-of-date MailPoet plug-in for WordPress.

The open-source WordPress project has provided automatic updates for security fixes in the core WordPress application since the 3.7 version in October 2013. The automatic updates do not currently include automatically updating all of a user’s plug-ins.

Risks

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, noted that those who are in charge of checking the security of WordPress already warn users about out-of-date plug-ins. The latest WordPress releases provide users with a list of plug-ins that need to be updated on users’ WordPress dashboard. Hansen added that it would be a good idea if WordPress gave users the option to automatically disable plug-ins that are known to be vulnerable, without risking the user’s sites.

“Given that plug-ins are the most vulnerable part of the ecosystem, it would be prudent to treat them as unknown and potentially dangerous software that can and should be disabled if the administrators are paranoid,” Hanson told eWEEK.

The idea of fully automated security updates is not one that sits well with Amichai Shulman, CTO of Imperva.

“Most organisations would not allow any functional change to go live untested in a lab, and without a proper change management process,” Shulman told eWEEK. “Why would someone give this up for a security fix?”

Shulman sees the deployment of Web Application Firewall (WAF) rules as being a key mechanism to minimize security risk. Some WAFs provide out-of-the-box protection against the specific type of vulnerability that led to the SoakSoak infection, which is an arbitrary file access through directory traversal issue, he added.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Three UK Investigates After Outage Impacted Some 999 Calls

Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…

1 day ago

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

1 day ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

1 day ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

2 days ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

2 days ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

2 days ago