Attackers using Neutrino exploit kit to exploit WordPress, warns vendor

CISOs whose organizations use the WordPress content management system should be watching for signs those sites are being used in DDoS attacks that reflect unwitting victims using Internet Explorer to malware-infected sites that install CryptoWall 3.0 ransomware.

The warning comes from security vendor Zscaler, which noted on Thursday that in the past few days it has seen a “massive uptick” in the use of the Neutrino Exploit Kit, which last month reportedly included a zero day exploit discovered by the Hacking Team breach.  “The cause for this uptick appears due to widespread WordPress site compromises,” Zscaler researchers have concluded.

WordPress sites running version 4.2 and lower are being compromised in this campaign, it said. “We have seen over 2,600 unique WordPress sites being used in this campaign where more than 4,200 distinct pages have been logged with dynamic iframe injection in the last month.”

“The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler (exploit kit) samples.”

The report points out again the importance of running the latest version of WorldPress. It also comes the same week as Akamai released its Q2 state of the Internet report, which points out that for the past three quarters there has been a doubling in the number of DDoS attacks year over year.

“WordPress, the world’s most popular website and blogging platform, is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns,” the report says in part.

It adds that third-party WordPress plugins go through very little, if any, code vetting. Twenty-five of  more than 1,300 of the most popular plugins and themes it tested had at least one new vulnerability — and in some cases more than one.

“We see 5,000 or 10,000 compromised WordPress sites attacking our customers at once,” Eric Kobrin, director of adversarial resilience at Akamai Technologies, told CSO Online. “And we’re seeing more WordPress sites existing out there, so you start to see the potential for growth.”

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web