It's hard enough for enterprise defenders to stay on top of every security udpate for every application within their environment. The recent wave of attacks targeting WordPress sites with vulnerable plugins highlight how much WordPress administrators have to rely on individual developers to provide timely notifications about vulnerabilities and updates, and how a single actor can complicate efforts.
Over the past month, thousands of compromised WordPress websites have redirected unwitting site visitors to tech-support scams and other types of malicious sites. The sites were compromised because of vulnerabilities in WordPress plugins: Yuzo Related Posts plugin, used by 60,000 sites to display “related posts” segments; Yellow Pencil Visual Theme Customizer plugin, used by 30,000 sites to style their sites; Easy WP SMTP; and Social Warfare, used by 70,000 sites.
Researchers with Wordfence—a company that makes a WordPress plugin that scans for malicious plugins—said they were “confident” the plugins were being exploited by the same actor because the IP address of the domain hosting the malicious script in the attacks were the same.
“Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor,” the researchers wrote.
The attacks began after a site called Plugin Vulnerabilities published details about the plugins’ vulnerabilities and included proof-of-concept exploit code. The posts contained enough technical details that attackers were able to target vulnerable sites. In some cases, it appears the attacks used code copied from the posts. There was a gap of 11 days between when details of the vulnerabilities in Yuzo was published and when the in-the-wild exploits against the plugin were reported. It took only hours for attacks to be reported for Yellow Pencil and Social Warfare.
The developer of Social Warfare plugin, Warfare Plugins published a timeline of what happened on Mar. 21, the day the details for that plugin was published. “An unnamed individual published the exploit for hackers to take advantage of,” the timeline said. “Attacks on unsuspecting websites begin almost immediately.”
There were no reports of in-the-wild exploits against the plugins prior to the posts being published. The author of the Plugin Vulnerabilities posts told Ars Technica that plugin developers were notified after publishing the details.
"As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities," Wordfence said.
WordPress removed Yuzo and Yellow Pencil from its plugin repository to prevent attackers from targeting the vulnerable versions. Social Warfare’s developers promptly released an updated version of the plugin and Yellow Pencil has also issued a patch.
“If your website does not redirect to malware website, your website is not hacked but you must update the plugin quickly to the latest version for keeping your website safe,” Yellow Pencil’s developers wrote, warning users to update to version 7.2.0.
Removing the plugins from the repository just means that new sites can't add the plugins to their sites. Administrators already using the plugin has to remove the plugin from their sites on their own, and update when the new version becomes available. According to posts on the WordPress forums, many administrators found out about the vulnerable plugins after their sites had been compromised.
The fact that the WordPress plugin repository team closed the plugins may act as a signal to attackers to pay closer attention to websites with that vulnerable plugin, warned John Castro, a vulnerability researcher with website security company Sucuri. Shortly after the Yuzo plugin was closed (removed from the repository), a campaign targeting sites with a vulnerable Social Warfare plugin started scanning websites to see if the Yuzo plugin was also installed, Castro wrote on the Sucuri blog.
The author of the disclosure posts denied any responsibility for the attacks, and blamed the moderators of the WordPress Support Forum for creating the problem. Ars Technica found that the author resented that forum moderators had removed posts disclosing unfixed vulnerabilities in public forums—and that this spree of disclosures was a protest against the moderators.
We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts,” the author told Ars. “These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up.
The team behind WordPress does a good job of keeping the core software up to date and secure, but the sprawling ecosystem of third-party software is the content management platform's Achille's Heel. A recent Imperva report found that 98 percent of WordPress vulnerabilities are related to plugins that extend the site's functionality and features. When developers—often a single person or small teams without dedicated security expertise—are not able to fix vulnerabilities promptly, the individual website owners are at risk.
As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild," Wordfence said. "Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.
Administrators should assume more exploits for other plugins are on the way and keep alert to know which plugins to disable and update.