Attackers are concentrating on WordPress customers with a pretend safety alert that warns of a fabricated distant code execution (RCE) flaw; it presents a “patch” that in fact spreads malicious code that may hijack the location.
The e-mail marketing campaign, recognized by researchers at each Wordfence and Patchstack, impersonates WordPress and warns customers of a vulnerability, CVE-2023-45124, urging them to click on on a hyperlink to obtain a plugin that may repair the flaw.
“This isn’t a professional electronic mail and the plugin that they’re asking you to obtain and set up will infect your web site with a backdoor and malicious administrator account,” Patchstack warned customers in a weblog put up concerning the marketing campaign.
Attackers can use the backdoor to conduct malicious exercise, equivalent to injecting commercials into the location, redirecting customers to a malicious website, or stealing billing information, in keeping with Patchstack. Additionally they can leverage it for distributed denial of service (DDoS) assaults, or can blackmail website homeowners by making a duplicate of the location’s database after which holding it hostage for a cryptocurrency cost.
The excellent news is that thus far, it doesn’t seem as if any targets have been contaminated by the marketing campaign, which requires person motion to achieve success, the researchers famous.
Furthermore, attackers purpose to get customers to do their soiled work for them by informing victims who set up and activate the plugin that “CVE-2023-45124 has been patched efficiently” after which encouraging them to share the “patch” with “individuals you assume is perhaps affected by this vulnerability,” in keeping with Patchstack.
Defend Your WordPress Website
With a whole bunch of thousands and thousands of internet sites constructed on WordPress, the platform and its customers characterize a massive assault floor for risk actors and thus are frequent targets of malicious campaigns through plugins that set up malware or phishing campaigns that concentrate on WordPress customers — or, on this case, each. Attackers additionally are inclined to rapidly pounce on flaws which might be found in WordPress, a danger of which the present marketing campaign takes full benefit by luring customers with the specter of a probably exploitable vulnerability.
Present indicators of compromise {that a} website has been contaminated embrace the creation of a person with the username “wpsecuritypatch”; the presence of a file known as “wp-autoload.php” within the root folder of the WordPress website; the existence of a folder known as “wpress-security-wordpress” or “cve-2023-45124” within the /wp-content/plugins/ folder; and outgoing requests despatched to wpgate[.]zip, the attacker-controlled website, in keeping with Patchstack.
Nevertheless, these variables may change relying on the whim of attackers, the researchers warned. “Tomorrow they may very properly have the username set to one thing else or arrange one other malicious area title,” in keeping with the put up.
Wordfence plans to launch a future put up taking a deeper dive into the plugin and backdoor. For now the researchers warned customers that they need to be looking out for the phishing electronic mail related to the marketing campaign and keep away from clicking on any hyperlinks contained inside, even an “unsubscribe” hyperlink.
