The campaign’s goals aren’t immediately clear, as the malefactors don’t appear to be leveraging the hijacked websites for further nefarious purposes.
Attackers have been exploiting a security weakness in a GDPR compliance plugin for WordPress to seize control of vulnerable websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.
Importantly, the developer behind the plugin, which is called WP GDPR Compliance, has issued a patch fixing the critical flaw. Its users are, therefore, strongly advised to upgrade to version 1.4.3, or alternatively disable or remove the tool.
Used by more than 100,000 websites seeking compliance with the European Union’s General Data Protection Regulation (GDPR), the plugin was pulled from the WordPress plugin repository after news of the flaw broke, but was reinstated quickly with the release of the version that plugs the hole.
Two in one
If left unplugged, the privilege escalation hole enables attackers to take over impacted sites and use them for a range of further nefarious actions. This is not merely a hypothetical threat, as attackers were found to have been compromising vulnerable websites for around three weeks.
In fact, the plugin was affected by two distinct bugs. However, “with potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability”, reads the blog post. The researchers spotted two kinds of attacks leveraging the security hole: a simpler and a more complex one.
As their follow-up blog post explains, the first – and more common – scenario involves attackers abusing the user registration system on a targeted website in order to create new administrator accounts, which then gives them carte blanche vis-à-vis the site.
As part of the malicious routine, the attackers “close the doors behind themselves” by reversing the changes in settings that let them in and by disabling user registration. This is presumably intended to avoid raising alarms and to lock out competing ne’er-do-wells. A few hours later, the attackers are back – logging in with their admin access and installing backdoors.
In the second – and perhaps more discreet – kind of attack, the malefactors leverage the bug in order to abuse WordPress’s task scheduler called WP-Cron. The long and the short of it is that they inject malicious actions into the task scheduler in order to ultimately establish persistent backdoors.
It’s unclear at this point how the attackers ultimately aim to take advantage of the hijacked websites. At any rate, the potential nefarious actions run the gamut and include hosting phishing sites and spewing out spam.
written by Tomas Foltyn, ESET We Live Security