Recently, we told you that we found a dangerous vulnerability that allows you to upload malicious files to vulnerable sites. At the same time, the File Manager plugin is used by more than 700,000 resources, and although the vulnerability has already been fixed, a few days ago more than half of the sites were still considered vulnerable.
Attacks on this vulnerability began almost immediately: attackers uploaded web shells to websites that allowed them to take control of the resource and use it for their own purposes. The researchers wrote that attackers are trying to embed various files on websites. In some cases, these files were empty (obviously, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php and x.php and Feoidasf4e0_index.php.
Earlier this week, the Defiant experts behind the development of Wordfence warned that the number of attacks on this vulnerability continues to grow rapidly. In total, experts reported attacks on 1.7 million resources.
Now the Defiant experts have published an update
about the situation, which continues to worsen. So, according to the company, 2.6 million WordPress sites have already been attacked.
Researchers write that many hackers are now trying to attack the vulnerability in File Manager, but two of them have achieved the greatest success in deploying malware on vulnerable sites. One of these hackers is the Moroccan attacker bajatax, previously known to experts for its penchant for stealing user credentials from PrestaShop e-commerce sites.
After that website hack, bajatax injects malicious code into the resource that collects and steals user credentials, which are retrieved via Telegram and then sold to the highest bidder .
Another hacker injects backdoors into a randomized folder and into the root of hacked sites. In both cases, the malware is disguised as .ico files, apparently to reduce the likelihood of both malware being detected at once. This attacker uses compromised resources to deploy miners as well as SEO spam campaigns.
At the same time, both attackers try to protect sites from other attackers and password-protect the vulnerable connector.minimal.php file, which is the cornerstone of the entire attack.
Hackers protected a vulnerable site
“The aforementioned attackers are most successful in their efforts to block other attackers, and together they use several thousand IP addresses in their attacks. addresses,” analysts write.
In total, Defiant experts recorded attacks on a vulnerability in File Manager from 370,000 individual IP addresses, and this activity is almost not intersected by active attempts to access backdoors . The only exception is the IP address 51.83.216[.]204: the people behind it opportunistically check for the presence of both backdoors on hacked sites and try to add their own backdoor to the resource (however, without much success).