Siege Warfare – WordPress Sites Under Attack for 36 hours

WordPress sites have been under attack for 36 hours, from 16,000 IP addresses. Threat Intelligence Analysts from Wordfence, have reported an ongoing assault against 1.6 million WordPress sites. The traffic originates from 16,000 IPs and threat actors appear to be targeting four WordPress plugins and fifteen Epsilon Framework themes. One of which has no patch available at present.

Since 2018, some plugins had patches available and others were just recently released. Wordfence has blocked over 13.7 million attacks since it identified the attacks.

The impact:

The attackers are abusing instances of Unauthenticated Arbitrary Options Update vulnerabilities. In most cases, they are enabling the ability for self-registration and setting the default role for new accounts to ‘administrator’.

If an attacker self-registers as an administrator, they have essentially compromised the entire web application and all existing user accounts. They can add, update and delete user account details, install/uninstall and delete plugins and perform a variety of malicious actions.

A common use for a compromised WordPress site is to use it as a staging site for phishing campaigns.

The important information:

The following plugins and versions are vulnerable:

• PublishPress Capabilities <= 2.3
• Kiwi Social Plugin <= 2.0.10
• Pinterest Automatic <= 4.14.3
• WordPress Automatic <= 3.53.2

The following themes in the Epsilon framework are vulnerable:

• NatureMag Lite – No patch available. It is recommended to uninstall from site.
• Shapely <=1.2.8
• NewsMag <=2.4.1
• Activello <=1.4.1
• Illdy <=2.1.6
• Allegiant <=1.2.5
• Newspaper X <=1.3.1
• Pixova Lite <=2.0.6
• Brilliance <=1.2.9
• MedZone Lite <=1.2.5
• Regina Lite <=2.0.5
• Transcend <=1.1.9
• Affluent <1.1.0
• Bonkers <=1.0.5
• Antreas <=1.0.6

The remediation:

The following actions should be taken immediately:

• Identify if the affected plugin and themes are operational on your site.
• Update the affected plugins and themes to their latest versions. Remove NatureMag Lite theme if present, as there is no patch available at this time.
• If affected plugins are detected, change all passwords for user accounts and implement 2FA/MFA if not already in place.
• Review all user accounts present on the website, specifically those with administrator privileges and determine whether they are authorised to have those privileges. Remove any accounts that appear to be unauthorised. NOTE: attacks were first identified on the 6^th of December, any administrator accounts created between then and the present should be scrutinised.
• Review reference A and B
  • Article A guides site administrators through identifying whether their sites have been compromised.
  • Article B shows site administrators how to clean up after an attack.
• Finally, review reference C
  • This is the official guide for WordPress security hardening. It is recommended to use this, to ensure that your WordPress site’s security posture is in line with best practices.

Sources:

A. https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/

B. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

C. https://wordpress.org/support/article/hardening-wordpress/