Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mysteriously, a large number of sites running on WordPress have been hacked causing them to deliver  crytpo-ransomware and other malicious software, to visitors. Until last week, web security services were unaware of this massive lapse in security.

Three separate security firms have since come forward to report that visitors of a massive number of legitimate WordPress sites are being silently redirected to malicious sites, which host code from the Nuclear exploit kit.

Users with outdated versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are highly susceptible to getting infected with Teslacrypt ransomware package. The ransomware encrypts files on the computer with a decryption key which can only be availed at a hefty ransom to restore user files.

“WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit.”

Researchers at Heimdal Security Software wrote in a blog post: “The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use.” Hackers are exploiting an unidentified vulnerability with obfuscated JavaScript which redirects traffic to a domain called chrenovuihren. An online ad pops up on the site which forces traffic to the site hosting the Nuclear exploit kit.

“This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files.” Website security firm Sucuri, said in a statement in a blog post, Monday. “This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code. This is why many webmasters are experiencing constant reinfections post-cleanup of their .jsfiles.”

Three of the Best WordPress Security Plugins Reviewed

With cyberattacks getting increasingly common, about 30,000 per day, it’s more important than ever to protect your site. You can take steps to safeguard your data without paying external services. Setting a complicated password and keeping your site up-to-date goes a long way, but the extra blanket of security provided by security plugins certainly helps and is worth shelling out a few extra dollars for premium features.

There’s a ton of WordPress security plugins, so we’ve reviewed only three of the most popular ones out there:

  1. WordFence

This plugin is free but for additional features there is a premium version. It routinely scans all your WordPress files for malware infections and notifies you if any is found. Using two factor authentication (with SMS), it stops brute force attack. WordFence gives users the option to block people from certain countries, and has a firewall to block fake traffic. The plugin claims to speed up your website 50 times faster, and can support multiple sites on the same account.

  1. iThemes Security

Formerly known as ‘Better WP Security’, iThemes is a popular choice with users. It scans your site to find vulnerabilities and fixes them as quickly as it sends you a report. It not only hides sensitive core files, but increases the password’s security level and blocks ‘bad users’. If iThemes is faced with a user with repeated login attempts, it will block and report their IP addresses. Pro users get two-factor authentication using a mobile app, password expiration, a track log of users’ actions, and a malware scan automatically every day.

  1. Sucuri Security

This plugin is a product of Sucuri Inc., a web security company focused on detecting and remediating compromised websites. Its security activity monitoring feature tracks all changes to help security experts understand how it is being compromised. Sucuri Security also Security Activity Auditing has File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications and a Website Firewall.

WordPress 4.4.2 Update Released to Patch Vulnerabilities

WordPress 4.4.2 has been released as an update to all versions to provide patches for two security vulnerabilities. To improve functionality, 17 bugs from the previous version are also addressed. The update is now available to download and WordPress recommends that everybody update immediately.

One of the two security fixes in 4.4.2 is a possible Server-Side Request Forgery (SSRF) vulnerability. It impacts local addresses and allows hackers to bypass access controls, like Firewall, to crash infected systems. The actual WordPress code commit that fixes the SSRF issue states that “0.1.2.3 is not a valid IP.”

This is not the first time WordPress has pushed a fix for SSRF. In June 2013, WordPress 3.5.2 was released with a patch-up for a SSRF vulnerability.

The Mitre Common Weakness Enumeration (CWE) states in its definition of SSRF as,”By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”

Open redirection attack is the second issue tackled in the new update. An open redirection attack links to external sites – phishing sites or other kinds of malicious sites – by abusing web functionality. “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect,” Mitre’s Open Redirect definition states. “This simplifies phishing attacks.”

A new block of code which will bring about better validation of the Web addresses used in HTTP redirects, is WordPress’s solution for the open redirection attack insecurity.

After the Jan 6th update of WordPress 4.4.1, this is the second update of the year for WordPress. Like last time, automatic updates are being rolled out to sites that support automatic background updates. To download manually, you can either head over to Dashboard > Updates in WordPress and click on the “Update Now” button, or download WordPress 4.4.2 from WordPress directly.