WordPress vulnerabilities which were discovered recently have been negatively and sometimes fatally affecting countless websites thus far. Initially, there were three flaws (identified about two weeks back) for which WordPress has already released security updates. However, we later learned that there was another huge vulnerability that allowed cyber-criminals to obtain unauthorized remote access to manipulate WordPress sites by editing or even deleting pages. This vulnerability was disclosed by the security firm, Sucuri.
It must be noted that after the release of WordPress 4.7.2 in January 2017, the CMS/content management system’s developers revealed that the latest version contained all the necessary patches to fix the three previously identified flaws, namely SQL injection, cross-site scripting (XSS), and access control concerns.
However, a week later, developers claimed that there was another flaw for which a patch was also included in the latest version update. This flaw was quite dangerous as it allowed cyber-criminals to gain administrator privileges. This was a content injection vulnerability which affected the REST API. The site admins had a week to patch the flaw but failed to update their sites. Last week, Sucuri disclosed the flaw; sending hackers into overdrive to capitalize on mistakes made. Thousands of sites have since been hacked with all their home pages carrying “Hacked By” messages.
Sucuri stated that hackers had compromised not hundreds but thousands of websites due to the availability of unpatched websites in such large quantity. The firm further stated that it was the delay in patches being implemented which resulted in such a large number of pages being affected.
Sucuri did inform WordPress about the vulnerability and a patch was included in the recent release from the company, but apparently, admins of the sites did not update their sites manually; perhaps they were relying on the automated updating feature, which unfortunately wasn’t working. Within 48 hours, hackers had started exploiting the flaw.
According to Sucuri, four different hacking groups were involved in the latest hack campaign involving WordPress websites. The exploitation is being conducted across the globe and there are apparently four campaigns running simultaneously against unpatched WordPress sites. One of the groups has managed to compromise over 66,000 pages while two groups have compromised 500 pages.
The company was able to make the assumption that there are four or maybe more perpetrators of the crime because they have identified various IP addresses. W4l3XzY3 and Cyb3r-Shia are believed to be the groups conducting mass attacks. Sucuri has suggested that users must block following four IP addresses immediately: 126.96.36.199, 188.8.131.52, 184.108.40.206, 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1.
The IP address 220.127.116.11 is believed to belong to the hacker, so it is better that users block this one too. Two different hackers By+NeT.Defacer and By+Hawleri_hacker are using the same IP address, 18.104.22.168.
According to SecurityWeek, there is a fifth hacking group involved too, but all the actors participating in the exploitation of the unpatched sites are mostly novices trying to boost their popularity online. However, security experts fear that the flaw will be used to perform search engine poisoning. As CTO and founder of Sucuri Daniel Cid pointed out: “There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.”