Security researchers recently reported a File Manager plugin vulnerability, which initially endangered more than 700,000 WordPress sites. However, in a few days, the number of attacked sites reached 2.6 million.
Multiple Attackers Exploiting the File Manager Plugin Vulnerability
According to Wordfence (Defiant) researchers, multiple threat actors are to blame for these attacks, with two specific threat actors being the most successful in the exploits. It appears that these attackers are now password protecting vulnerable copies of a specific file, known as connector.minimal.php.
The most active of these attackers have been identified as “bajatax”, which has previously been stealing credentials from PrestaShop sites. The indicators of compromise the researchers discovered include simple files that contained the “bajatax” string, and modifications to the original vulnerable connector.minimal.php file. The latter file is designed to lock out all other potential attackers. The researchers’ discoveries point out that these files are being utilized by some of the most active IPs deployed in the attacks.
Infected sites will have malicious code added to them. This code utilizes the API of Telegram to exfiltrate credentials of all users logging into the compromised site. In addition, the same code is also added to the user.php file which is a core WordPress file.
The second attacker exploiting the File Manager vulnerability with great success is dropping a specific infector, feoidasf4e0_index.php, with an MD5 hash of 6ea6623e8479a65e711124e77aa47e4c, and a backdoor inserted by this infector, Wordfence says in the official report. This attacker is also password protecting the connector.mininal.php file to attempt locking out other threat actors.
The researchers also outline that the backdoor used by this second actor has been in use for many years. However, multiple copies of it can be scattered across a single infected site, leading to persistence if no protection is present.
Furthermore, once the backdoors are successfully installed, the attacker is certainly utilizing them to make more modifications to core WordPress files.
What should you do if you have been using a vulnerable version of the File Manager plugin?
The best security advice is to use a security tool to scan your site for malware. In case you discover that your site has been compromised by the attacks described in this article, you should consider cleaning your website before doing anything else.
If you are the owner of an e-commerce site, you should also contact all of your users, letting them know that their credentials may have been compromised. You can also test the overall security of your website using the tips we provided in the article below:
Also Read How To Test Your WordPress Site Security