CISOs whose organizations use the WordPress content management system should be watching for signs those sites are being used in DDoS attacks that reflect unwitting victims using Internet Explorer to malware-infected sites that install CryptoWall 3.0 ransomware.
The warning comes from security vendor Zscaler, which noted on Thursday that in the past few days it has seen a “massive uptick” in the use of the Neutrino Exploit Kit, which last month reportedly included a zero day exploit discovered by the Hacking Team breach. “The cause for this uptick appears due to widespread WordPress site compromises,” Zscaler researchers have concluded.
WordPress sites running version 4.2 and lower are being compromised in this campaign, it said. “We have seen over 2,600 unique WordPress sites being used in this campaign where more than 4,200 distinct pages have been logged with dynamic iframe injection in the last month.”
“The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler (exploit kit) samples.”
The report points out again the importance of running the latest version of WorldPress. It also comes the same week as Akamai released its Q2 state of the Internet report, which points out that for the past three quarters there has been a doubling in the number of DDoS attacks year over year.
“WordPress, the world’s most popular website and blogging platform, is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns,” the report says in part.
It adds that third-party WordPress plugins go through very little, if any, code vetting. Twenty-five of more than 1,300 of the most popular plugins and themes it tested had at least one new vulnerability — and in some cases more than one.
“We see 5,000 or 10,000 compromised WordPress sites attacking our customers at once,” Eric Kobrin, director of adversarial resilience at Akamai Technologies, told CSO Online. “And we’re seeing more WordPress sites existing out there, so you start to see the potential for growth.”