Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mys­te­ri­ous­ly, a large num­ber of sites run­ning on Word­Press have been hacked caus­ing them to deliv­er  cryt­po-ran­somware and oth­er mali­cious soft­ware, to vis­i­tors. Until last week, web secu­ri­ty ser­vices were unaware of this mas­sive lapse in secu­ri­ty.

Three sep­a­rate secu­ri­ty firms have since come for­ward to report that vis­i­tors of a mas­sive num­ber of legit­i­mate Word­Press sites are being silent­ly redi­rect­ed to mali­cious sites, which host code from the Nuclear exploit kit.

Users with out­dat­ed ver­sions of Adobe Flash Play­er, Adobe Read­er, Microsoft Sil­verlight, or Inter­net Explor­er are high­ly sus­cep­ti­ble to get­ting infect­ed with Tes­lacrypt ran­somware pack­age. The ran­somware encrypts files on the com­put­er with a decryp­tion key which can only be availed at a hefty ran­som to restore user files.

“Word­Press sites are inject­ed with huge blurbs of rogue code that per­form a silent redi­rec­tion to domains appear­ing to be host­ing ads,” Mal­ware­bytes Senior Secu­ri­ty Researcher Jérôme Segu­ra wrote in a blog post pub­lished Wednes­day. “This is a dis­trac­tion (and fraud) as the ad is stuffed with more code that sends vis­i­tors to the Nuclear Exploit Kit.”

Researchers at Heim­dal Secu­ri­ty Soft­ware wrote in a blog post: “The cam­paign makes use of sev­er­al domains to deliv­er the mali­cious code, which is why active servers can quick­ly change depend­ing on which IP as DNS lookup they use.” Hack­ers are exploit­ing an uniden­ti­fied vul­ner­a­bil­i­ty with obfus­cat­ed JavaScript which redi­rects traf­fic to a domain called chren­ovuihren. An online ad pops up on the site which forces traf­fic to the site host­ing the Nuclear exploit kit.

“This past week­end we reg­is­tered a spike in Word­Press infec­tions where hack­ers inject­ed encrypt­ed code at the end of all legit­i­mate .js files.” Web­site secu­ri­ty firm Sucuri, said in a state­ment in a blog post, Mon­day. “This mal­ware uploads mul­ti­ple back­doors into var­i­ous loca­tions on the web­serv­er and fre­quent­ly updates the inject­ed code. This is why many web­mas­ters are expe­ri­enc­ing con­stant rein­fec­tions post-cleanup of their .jsfiles.”

Three of the Best WordPress Security Plugins Reviewed

With cyber­at­tacks get­ting increas­ing­ly com­mon, about 30,000 per day, it’s more impor­tant than ever to pro­tect your site. You can take steps to safe­guard your data with­out pay­ing exter­nal ser­vices. Set­ting a com­pli­cat­ed pass­word and keep­ing your site up-to-date goes a long way, but the extra blan­ket of secu­ri­ty pro­vid­ed by secu­ri­ty plu­g­ins cer­tain­ly helps and is worth shelling out a few extra dol­lars for pre­mi­um fea­tures.

There’s a ton of Word­Press secu­ri­ty plu­g­ins, so we’ve reviewed only three of the most pop­u­lar ones out there:

  1. Word­Fence

This plu­g­in is free but for addi­tion­al fea­tures there is a pre­mi­um ver­sion. It rou­tine­ly scans all your Word­Press files for mal­ware infec­tions and noti­fies you if any is found. Using two fac­tor authen­ti­ca­tion (with SMS), it stops brute force attack. Word­Fence gives users the option to block peo­ple from cer­tain coun­tries, and has a fire­wall to block fake traf­fic. The plu­g­in claims to speed up your web­site 50 times faster, and can sup­port mul­ti­ple sites on the same account.

  1. iThemes Secu­ri­ty

For­mer­ly known as ‘Bet­ter WP Secu­ri­ty’, iThemes is a pop­u­lar choice with users. It scans your site to find vul­ner­a­bil­i­ties and fix­es them as quick­ly as it sends you a report. It not only hides sen­si­tive core files, but increas­es the password’s secu­ri­ty lev­el and blocks ‘bad users’. If iThemes is faced with a user with repeat­ed login attempts, it will block and report their IP address­es. Pro users get two-fac­tor authen­ti­ca­tion using a mobile app, pass­word expi­ra­tion, a track log of users’ actions, and a mal­ware scan auto­mat­i­cal­ly every day.

  1. Sucuri Secu­ri­ty

This plu­g­in is a prod­uct of Sucuri Inc., a web secu­ri­ty com­pa­ny focused on detect­ing and reme­di­at­ing com­pro­mised web­sites. Its secu­ri­ty activ­i­ty mon­i­tor­ing fea­ture tracks all changes to help secu­ri­ty experts under­stand how it is being com­pro­mised. Sucuri Secu­ri­ty also Secu­ri­ty Activ­i­ty Audit­ing has File Integri­ty Mon­i­tor­ing, Remote Mal­ware Scan­ning, Black­list Mon­i­tor­ing, Effec­tive Secu­ri­ty Hard­en­ing, Post-Hack Secu­ri­ty Actions, Secu­ri­ty Noti­fi­ca­tions and a Web­site Fire­wall.

WordPress 4.4.2 Update Released to Patch Vulnerabilities

Word­Press 4.4.2 has been released as an update to all ver­sions to pro­vide patch­es for two secu­ri­ty vul­ner­a­bil­i­ties. To improve func­tion­al­i­ty, 17 bugs from the pre­vi­ous ver­sion are also addressed. The update is now avail­able to down­load and Word­Press rec­om­mends that every­body update imme­di­ate­ly.

One of the two secu­ri­ty fix­es in 4.4.2 is a pos­si­ble Serv­er-Side Request Forgery (SSRF) vul­ner­a­bil­i­ty. It impacts local address­es and allows hack­ers to bypass access con­trols, like Fire­wall, to crash infect­ed sys­tems. The actu­al Word­Press code com­mit that fix­es the SSRF issue states that “0.1.2.3 is not a valid IP.”

This is not the first time Word­Press has pushed a fix for SSRF. In June 2013, Word­Press 3.5.2 was released with a patch-up for a SSRF vul­ner­a­bil­i­ty.

The Mitre Com­mon Weak­ness Enu­mer­a­tion (CWE) states in its def­i­n­i­tion of SSRF as,“By pro­vid­ing URLs to unex­pect­ed hosts or ports, attack­ers can make it appear that the serv­er is send­ing the request, pos­si­bly bypass­ing access con­trols such as fire­walls that pre­vent the attack­ers from access­ing the URLs direct­ly.”

Open redi­rec­tion attack is the sec­ond issue tack­led in the new update. An open redi­rec­tion attack links to exter­nal sites — phish­ing sites or oth­er kinds of mali­cious sites — by abus­ing web func­tion­al­i­ty. “A web appli­ca­tion accepts a user-con­trolled input that spec­i­fies a link to an exter­nal site, and uses that link in a Redi­rect,” Mitre’s Open Redi­rect def­i­n­i­tion states. “This sim­pli­fies phish­ing attacks.”

A new block of code which will bring about bet­ter val­i­da­tion of the Web address­es used in HTTP redi­rects, is Word­Press’s solu­tion for the open redi­rec­tion attack inse­cu­ri­ty.

After the Jan 6th update of Word­Press 4.4.1, this is the sec­ond update of the year for Word­Press. Like last time, auto­mat­ic updates are being rolled out to sites that sup­port auto­mat­ic back­ground updates. To down­load man­u­al­ly, you can either head over to Dash­board > Updates in Word­Press and click on the “Update Now” but­ton, or down­load Word­Press 4.4.2 from Word­Press direct­ly.