Categories: SecurityWorkspace

Hacker Group Looks To Gain Control Over Vulnerable WordPress Sites

An ongoing attack on WordPress plugins has been altered into a more dangerous form as hackers seek to gain more control over vulnerable websites, a researcher has warned.

The initial attack, which began in July, involved targeting vulnerable plugins to gain access to WordPress sites and install malicious code, said researcher Mikey Veenstra of Defiant.

The initial code displayed ads or redirected visitors to third-party websites, he said.

But beginning on 20 August the attackers modified the malicious code already planted on sites to make it try and create malicious administrator accounts, Veenstra said in an advisory.

Rogue accounts

When an administrator logs into an infected WordPress site, the malware attempts to use the user’s credentials to create a new admin account named wpservices.

The new account is under the attackers’ control and could be used to carry out further actions, Veenstra said.

“With this user (account)  in place, the attacker is free to install further backdoors or perform other malicious activity,” he wrote.

The shift is a sign that the attackers may be preparing to carry out further attacks via infected WordPress sites, Veenstra said.

Patches

The attacks are currently targeting the following list of WordPress plugins, according to Veenstra:

Bold Page Builder
Blog Designer
Live Chat with Facebook Messenger
Yuzo Related Posts
Visual CSS Style Editor
WP Live Chat Support
Form Lightbox
Hybrid Composer
All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)

He advised users to immediately update their plugins to the latest version to avoid exposing their sites to hacks.

Users should also remove any unauthorised accounts created by the malware and carry out scans to ensure the site is free from other backdoors, Veenstra said.

“As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these,” he said.

“Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ransomware Remains Biggest Cyber Threat To SMBs, Warns Datto

Number of ransomware attacks on SMBs on the rise, and the cost of downtime has risen over 200 percent

14 hours ago

Canonical Releases Ubuntu 19.10 ‘Eoan Ermine’

New open source Linux distribution comes with update to Charmed OpenStack and additional support for Raspberry Pi

14 hours ago

O2 Launches 5G Network In Six UK Cities

Network launch sees customers offered unlimited 5G data and no premium for connecting to 5G network

16 hours ago

IBM Profit Slumps As Tech Services Struggles

Big fall in profits at Big Blue as tech services division declines, as does IBM's systems division

17 hours ago

Samsung Acknowledges Galaxy S10 Fingerprint Flaw

A software patch will be by Samsung issued to stop any fingerprint unlocking the Galaxy S10 smartphone fitted with a…

18 hours ago

Three Network Crash Causes ‘Intermittent’ Outages

Mobile operator Three has admitted it is experiencing “technical difficulties” in widespread outage

19 hours ago