In the past seven days, a hacker group has tried to hijack almost a million WordPress sites. That describes the security company Wordfence. Wordfence's Threat Intelligence team had registered a sudden increase in attacks on cross-site scripting (XSS) vulnerabilities that started on April 28 and within 30 days grew to 30 times the usual volume of attack data.
Most of these attacks apparently hid a single threat actor, Wordfence writes. This hacker group launched its attacks from 24,000 IP addresses and tried to break into more than 900,000 WordPress sites. The campaign peaked on May 3 when the group made 20 million attempts to exploit vulnerabilities in more than half a million individual sites.
Automatically created back doors
Wordfence speculates that hackers could switch to other vulnerabilities in the future and gives the Indicators of Compromise (IoCs), which website operators can use to determine whether their site has been compromised. These include, for example, special strings that are present in the payload, or timestamps that indicate when the page was last checked for re-infection and that are stored in an incorrectly spelled file called "debugs.log".
The "classic": Known weak points as a gateway
The majority of the attacks observed target vulnerabilities that have been known and patched for months and years. Therefore, the best prevention – a truism in IT security – is to keep all plug-ins up to date and to deactivate and delete all plug-ins that have been removed from the WordPress plug-in repository.
. (tagsToTranslate) Hacking (t) Wordfence (t) WordPress (t) XSS