Experts from Defiant warned that a group of hackers are exploiting vulnerabilities in more than 10 WordPress plugins to create new admin accounts on other sites. These accounts then serve as a backdoor for attackers.
According to researchers , what is happening is a natural continuation of the malicious campaign that began in July 2019. Then the same hack group used vulnerabilities in the same plugins to inject malicious code onto websites. This code was intended to display pop-up ads or to redirect visitors to other resources. Now, starting August 20, 2019, criminals have changed tactics and use other payloads. So, now instead of the code responsible for injecting pop-ups and redirects, there is a code that checks if the site visitor has the ability to create user accounts (a feature available only to administrator accounts in WordPress). In fact, the malware is waiting for the site owner to access his resource. When this happens, the malicious code creates a new administrator account named wpservices using the address [email protected] and the password w0rdpr3ss . These accounts are then used as backdoors.
The researchers write that attacks target known vulnerabilities in the following plugins:
- Bold Page Builder;
- Blog Designer;
- Visual CSS Style Editor;
- Live Chat with Facebook Messenger;
nd-booking, nd-travel, nd-learning and so on).
Defiant strongly encourages site owners to update the above plugins to the latest versions, as well as check your resources for new administrator accounts and, if necessary, remove fraudulent accounts.