Posted on September 2, 2020 at 5:36 PM
Hackers are currently taking advantage of a weak point in WordPress, the popular blogging platform. Researchers have said that the hackers can do this by using specific commands and malware on websites with the File Manager tool.
The File Manager is a plugin from WordPress that has over 700,000 active installations. The attack was made known several hours after the popular blogging platform discovered and patched the flaw.
The hackers use this weakness to upload files with web shells onto the File Manager plugin files. The web shells are typically hidden in images. Since there is a restriction that stops the attackers from using these same malicious files on external directories, they can cause increased damage by uploading similar malicious scripts that can do certain harmful things on other locations of websites at risk.
A Bangkok-based security firm, called NinTechNet, was one of the establishments that saw and reported the attacks. They reported a hacker taking advantage of a flaw to transfer a specific script (hardfork.php) into the program and use this same script to inject code into specific WordPress scripts such as /wp-includes/user.php and /wp-admin/admin-ajax.php.
Almost half a million backdooring attempts were prevented
A security firm called Wordfence, who is familiar with the process, had posted that it had stopped over 450,000 malicious attempts within a few days. Researchers who work for Wordfence noticed that there was a wave of attacks that were using fraudulent admin accounts that were generated by criminals to use in gaining access to websites that are unprotected.
They reported that the hackers are attempting to upload multiple files forcefully. Most of the time, the files being uploaded were empty, which seems like it is used to monitor susceptible websites, and if they are successful, they will upload harmful files later. It was also reported that the hackers uploaded such files like x.php, hardfind.php, and hardfork.php.
The report from Wordfence reported that the vulnerable plugin could grant the attackers access to the WordPress dashboard, which will let them do further damage once they get into the site’s admin area.
In addition to trying to reroute visitors from a website, this hacking campaign also involves uploading of more scripts, which will enable a secret and malicious backdoor access. The backdoor access is used to generate false admin accounts on WordPress. These admin accounts are then used to directly gain access to the account of users on the platform.
The File Manager is a plugin that WordPress administrators use for file management on websites with WordPress’ content management system. The File Manager plugin contains elFinder.
elFinder is an additional tool for file management contained in the plugin. Technically, elFinder, as an openly-coded library, provides the primary functionality within the plugin and the user interface for it. This flaw can be traced back to the manner that the plugin executed elFinder.
Wordfence further reported that it could trace these attacks’ origin to multiple IP addresses from various parts of the world. However, while all of the servers issuing a majority of the attacks have managed to go offline, only Rackspace still manages to be active. The security firm had said that it had told Rackspace of the unpleasant event; however, they are yet to get a reply.
Wordfence went further to say that upgrading plugins and themes on the popular blogging platform is the right way of warding off such attacks. Explaining the attack, the firm said it is essential to frequently check for updates to ensure that people are getting the most recent patches as they are launched.