There is a current malvertising campaign targeting WordPress sites, according to a recent post from the team at Wordfence. The campaign leverages disclosed plugin vulnerabilities that, left unpatched, allows attackers to commit remote code injection via JavaScript. The code specifically targets a site’s frontend, and when executed properly, it allows threat actors to trick site visitors to click on malicious ads that redirect users to a central domain.
Wordfence researchers from the Defiant Threat Intelligence team note in the post that there is nothing particularly new about this scheme per se. Certainly, TechGenix has reported on plenty of malvertising campaigns in the past as well as other WordPress security problems. What did catch researchers’ attention, however, was the code itself and their in-depth analysis (with actual code samples) is highly recommended by this journalist.
Major points made about the malvertising code are found in the following post excerpt:
The majority of the XSS injection attempts tracked across this campaign were sent by IP addresses linked to popular hosting providers. With attacks sourced from IPs hosting several live websites, as well as our own evidence of infected sites associated with this campaign, it’s likely the threat actor is using infected sites to deliver XSS attacks by proxy.
In the infected site we had access to, we identified a few PHP shells which would have been capable of performing these attacks. These were fairly common types of webshells, and didn’t feature custom code specifically built to deliver XSS attempts, but could receive arbitrary commands from the attacker to launch the attacks… This campaign is ongoing. We expect the threat actors will be quick to leverage any similar XSS vulnerabilities that may be disclosed in the near future. Be sure to check your WordPress sites for any available plugin and theme updates frequently. Even if an update’s changelog doesn’t mention a security fix, it’s possible the developer neglected to disclose the nature of the patch.
This malvertising campaign targeting WordPress highlights three major issues that have grabbed the attention of security researchers. First, malvertising campaigns are currently a major part of cybercriminals’ attack arsenal and because of this, web admins should be aware of their site’s activity. Second, JavaScript can be an incredibly vulnerable code to use when errors are made. Users who have the technical know-how may want to consider using a browser extension like NoScript to have greater control over their security when browsing. Finally, and this really should be common sense, patching vulnerabilities is incredibly necessary if you are going to prevent major security incidents.
Featured image: Pxhere
