Wordfence specialists noticed that a hack group launched a massive campaign against WordPress sites. Using various known vulnerabilities, attackers attempted to attack almost a million resources over the past week.
The attacks began on April 28, 2020 and resulted in a thirtyfold increase in the volume of malicious traffic monitored by the company. The group uses over 24,000 different IP addresses to attack and has already attempted to hack over 900,000 WordPress sites. The attacks reached their peak last Sunday, May 3, 2020, when hackers made over 20,000,000 attempts to break into 500,000 different domains.
Wordfence says that attackers use the following vulnerabilities in their campaign:
- XSS vulnerability in plugin Easy2Map which was removed from the WordPress repository back in August 2019. Attempts to exploit this vulnerability account for more than half of the total number of attacks, although the plugin is installed on less than 3000 sites;
- Plugin bug WP GDPR Compliance, revised at the end of 2018. Other than other, the problem allowed attackers to change the home URL of the site. Although this plugin has more than 100,000 installations, analysts estimate that only 5,000 of them are currently vulnerable.
XSS vulnerability in the plugin Blog Designer which was fixed in 2019. This plugin is used by approximately 1000 resources, but this vulnerability has already been exploited by other malicious campaigns;
Vulnerability in plugin Total Donations, which allows you to change the site's home URL. This plugin was removed from the Envato Marketplace in early 2019 and currently has less than 1,000 live installs.
Also, according to Wordfence experts, in the future attacks, the group can develop new exploits and expand its arsenal, which will entail attacks on other vulnerabilities.