We recently reported that we found a dangerous vulnerability in the File Manager plugin for WordPress that allows malicious files to be uploaded to vulnerable sites. At the same time, the File Manager plugin uses more than 700,000 resources, and although the vulnerability has already been fixed, a few days ago more than half of the sites were still considered vulnerable.
Attacks on this vulnerability began almost immediately: cybercriminals uploaded web shells to sites that allowed them to take control of the resource and use it for their own purposes. The researchers wrote that cybercriminals are trying to inject various files into websites. In some cases, these files were empty (apparently, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php and x.php and Feoidasf4e0_index.php.
Earlier this week, Defiant, behind the development of Wordfence, warned that attacks against the vulnerability continue to grow rapidly. In total, experts reported attacks on 1.7 million resources.
Defiant experts have now posted updated situation datathat keeps getting worse. Thus, according to the company, 2.6 million WordPress sites have already been attacked.
The researchers write that many hackers are currently trying to attack a vulnerability in File Manager, but two of them have had the greatest success in deploying malware to vulnerable sites. One of these hackers is the Moroccan attacker bajatax, previously known to experts for its propensity to steal user credentials from PrestaShop e-commerce sites.
After the hacking of the site, bajatax injects malicious code on the resource that collects and steals user credentials, which are retrieved through Telegram, and then sold to whoever offers the best price.
Another hacker injects backdoors into the randomized folder and the root of the compromised sites. In both cases, the malware is disguised as .ico files, obviously to reduce the likelihood of detecting both malware at once. This attacker uses compromised resources to deploy miners as well as conduct SEO spam campaigns.
At the same time, both attackers try to protect sites from other attackers and password protect the vulnerable connector.minimal.php file, which is the cornerstone of the entire attack.
"The aforementioned attackers are most successful due to their efforts to block other attackers, and together they use several thousand IP addresses in their attacks," the analysts write.
In total, Defiant experts recorded attacks on the File Manager vulnerability from 370,000 individual IP addresses, and this activity is almost uncrossed by active attempts to access backdoors. The only exception is the IP address 51.83.216 (.) 204: the people behind it opportunistically check for both backdoors on compromised sites and try to add their own backdoor to the resource (without much success, though).