A hacker group has tried to hijack near a million WordPress sites over the past seven days, according to a cybersecurity firm Wordfence in a blog post.
Over the past few days, the hacker group has tried to launch more than 20 million hacking attempts against half a million websites.
The firm said that they have found more than 24,000 distinct IP addresses that tried to hack into more than 900,000 WordPress websites.
While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up
Ram Gall, QA engineer at Wordfence.
After investigation, they found that the attackers tried to exploit the cross-site-scripting vulnerability(XSS) through a malicious Javascript code that redirects the victims to a malicious website.
In the majority, the malicious javascript code was located at “counttrackstatisticssscom/stm”. In some cases, the malicious Javascript code contains the String.fromCharCode in order to obfuscate the URL.
The script automatically checks if the victim is not logged in redirects the victims to the malicious websites and if the victim login it tries to inject PHP backdoor in the theme’s header.
The hackers try to target different vulnerabilities some of the popular targetted vulnerabilities are listed below.
- An XSS vulnerability that was present in the Blog Designer which was patched in 2019 and there were about 1,000 vulnerable installations.
- An XSS vulnerability that was present in the Easy2Map which was removed from WordPress vulnerability in August 2019, that targets to estimate less than 3,000 websites.
- An option update vulnerability that was present in WP GDPR Compliance that allows the attacker to change the site’s home URL which was patched in late 2018 has about 5,000 vulnerable installations.
- An option update vulnerability that was present in Total Donations which was removed from Envato Marketplace in 2019 has about 1,000 vulnerable installations.