Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells
Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This means that during major holidays it is not uncommon to see spikes in attack attempts.
We observed spikes in attack traffic for two of our firewall rules over the Christmas and New Year holidays, which are discussed in more detail below. The spikes in these rules look rather different when compared to each other. What they have in common is that the best defenses are proactively securing your website and keeping WordPress core, themes, and plugins updated.
Targeted Spikes: Downloads Manager Plugin
There were two spikes specifically targeting the Downloads Manager plugin by Giulio Ganci. The first spike was on December 24, 2022, with a second spike on January 4, 2023. In the 30-day reporting period, only 17 attempts to scan for
debug.log files did not target the Downloads Manager plugin. On average, the rule that blocks these scans typically blocks an average of 7,515,876 scan attempts per day. The first spike saw 92,546,995 scan attempts, and the second spike soared to 118,780,958 scan attempts in a single day.
Over the reporting period, we tracked 466,827 attacking IP addresses. These IP addresses attempted to exploit vulnerabilities on 2,663,905 protected websites. The top 10 IP addresses were responsible for 90,693,836 exploit attempts over the course of the reporting period.
The observed user-agent strings were largely known legitimate user-agents, though some appear to have been modified. The top ten user-agents accounted for 306,845,888 of the total exploit attempts during this time period.
During these spikes, the scans were specifically looking for readme.txt files within the
/wp-content/plugins/downloads-manager/ directory of the website. When found, they are primarily attempting to upload the Mister Spy Bot V7 shell with a filename similar to
up__jpodv.php, where the last five characters of the name are random letters, or the Saber BOT V1 shell with a filename of
saber.php as the malicious payload.
The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager