A new strain of Linux malware is targeting WordPress sites and exploiting vulnerabilities in over two dozen plugins and themes to compromise systems. Russian security firm Doctor Web discovered the malware, which has been tracked as Linux.BackDoor.WordPressExploit.1. It targets both 32-bit and 64-bit versions of Linux and has backdoor capabilities that allow it to attack a specific webpage, switch to standby mode, shut itself down, and pause logging its actions.
Before attacking a website, the malware contacts a command and control server to receive the address of the site, it should infect. It then attempts to exploit vulnerabilities in various plugins and themes, including WP Live Chat Support, WordPress Yuzo Related Posts, and WordPress Ultimate FAQ. If it successfully exploits a vulnerability, it injects the targeted page with malicious JavaScript downloaded from a remote server.
This JavaScript is initiated when the infected page is loaded, causing users to be redirected to a website chosen by the attackers whenever they click on the page.
Impact on WordPress Users
The injection of malicious JavaScript on compromised pages can have severe consequences for users. When visitors click on the infected page, they are redirected to other sites controlled by the attackers. These websites frequently deliver malware and offer phishing pages, which can fool visitors into disclosing personal information like login passwords or financial information. The targeted plugins and themes are below:
- WP Live Chat Support
- Yuzo Related Posts
- Yellow Pencil Visual CSS Style Editor
- Easy WP SMTP
- WP GDPR Compliance
- Newspaper (CVE-2016-10972)
- Thim Core
- Smart Google Code Inserter (discontinued as of January 28, 2022)
- Total Donations
- Post-Custom Templates Lite
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- Blog Designer
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- ND Shortcodes
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy
- FV Flowplayer Video Player
- WooCommerce
- Coming Soon Page & Maintenance Mode
- Onetone
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Additional Vulnerabilities Discovered
The researchers also discovered a newer malware version that exploits vulnerabilities in additional WordPress plugins, including Brizy WordPress Plugin and WooCommerce. This demonstrates that the threat is constantly evolving and that WordPress admins need to be vigilant in order to protect their sites.
Both variants of the malware contain unimplemented functionality for hacking the administrator accounts of WordPress websites through a brute-force attack. This type of attack involves using a program to automatically try a large number of password combinations in an attempt to guess the correct one.
Recommendations for WordPress Admins
Doctor Web advises WordPress admins to keep all CMS components up-to-date and use strong, unique logins and passwords for their accounts. The security firm has also shared indicators of compromise for this threat. It is essential for admins to ensure that they are running the latest version of all plugins and themes on their WordPress sites to protect against attacks.
In addition to keeping components up-to-date, admins should regularly scan their sites for vulnerabilities and take steps to fix any issues discovered.
- Using Two-Factor Authentication Can Help Protect
In addition to using strong, unique passwords, WordPress admins should also consider implementing two-factor authentication as an additional layer of protection. This involves requiring an additional piece of information in addition to a password in order to log in to an account.
This information can be a code sent to a mobile phone or a biometric factor such as a fingerprint. Admins may make it far more difficult for attackers to obtain access to their accounts by demanding two kinds of authentication.
- Not Keeping Components Up-to-Date Can Lead to Compromise
The Linux.BackDoor.WordPressExploit.1 malware is able to target known vulnerabilities in outdated plugins and themes in order to compromise WordPress sites. This highlights the importance of keeping all components of a CMS up-to-date in order to prevent attacks. Admins should regularly check for updates and install them in a timely manner to ensure that their sites are secure.
- Using Strong, Unique Passwords Can Help Protect
In addition to keeping components up-to-date, WordPress admins should also use strong, unique passwords for their accounts. Using the same password for multiple accounts or using a weak password can make it easier for attackers to gain access to a site. By using strong, unique passwords, admins can make it more difficult for attackers to compromise their sites successfully. Admins should also consider using a password manager to help generate and store strong, unique passwords for all of their accounts.
- Brute-Force Attacks Can Be Prevented
Both variants of Linux.BackDoor.WordPressExploit.1 malware contains unimplemented functionality for hacking administrator accounts through a brute-force attack. As mentioned earlier, this type of attack involves using a program to automatically try a large number of password combinations in an attempt to guess the correct one. Admins can help protect against brute-force attacks by using strong, unique passwords and by implementing additional security measures such as two-factor authentication.
- Ensuring Secure Connections
In addition to keeping components up-to-date, using strong passwords, and implementing two-factor authentication, WordPress admins should also ensure that their connections are secure. This can be done by using SSL certificates to encrypt data transmitted between a site and its visitors. Admins should also consider using a web application firewall to help protect against potential threats.
- Additional Measures to Protect Against
In addition to keeping components up-to-date, using strong passwords, and implementing two-factor authentication, there are other measures that WordPress admins can take to protect their sites. These include ensuring secure connections and regularly checking for indicators of a compromise.
- Regularly Checking for Indicators of a Compromise
Another important step in protecting a WordPress site is to regularly check for indicators of a compromise. Some signs of a compromise can include the presence of unfamiliar files or directories, unexpected changes to the site’s content, and an increase in traffic from suspicious sources. If an admin notices any of these or other indicators of a compromise, they should take immediate action to investigate and address the issue. This may involve restoring the site from a backup, scanning for malware, or taking other steps to secure the site.
Conclusion
The Linux.BackDoor.WordPressExploit.1 malware is a threat to WordPress sites that is able to exploit vulnerabilities in multiple plugins and themes in order to compromise systems. Admins can protect against this threat by keeping all components of their CMS up-to-date and by using strong, unique passwords for their accounts.
By keeping their components up-to-date, using strong, unique passwords, implementing two-factor authentication, ensuring secure connections, and regularly checking for indicators of a compromise, WordPress admins can help ensure the security of their sites and protect against potential threats. While removing the possibility of a breach is impossible, implementing these safeguards can considerably minimize the chance of a successful assault and help secure the site and its users.
