Active exploits are aimed at a newly patched WordPress vulnerability


Last week About one million websites were affected by zero-day exploit
Effective feats target a recently patched bug in the popular Duplicator WordPress plugin, which has over 1 million effective platforms. To date 60,000 attempts have been made by researchers to gather sensitive victim information.

In a Post Thursday, the researchers at
Wordfence, who found out that 50 000 of these attacks were performed before the bug fix was made by Duplicator creator Snap Creek on February 12th, last week.

Duplicator is basically an easy backup and site migration tool. It allows the administrators of WordPress websites to move, copy, move, or clone a website. WordPress says Duplicator is over 15 million downloads and is used daily by more than 1,000,000 websites.

Duplicator has unfortunately had unauthenticated arbitrary download vulnerabilities before edition 1.3.28 or Duplicator Pro before version 3.8.7.1. A written article from Tenable states that, by submitting a specially created application to a Web site via the insecure Duplicator version, "a remote attacker can not use this vulnerability."

The attackers would then be able to download files from the intended directory. Satnam Narang, the researcher for Tenble, wrote the only caveat is that an attacker should have' known about the structure of the target file or should try downloading commonly known files.

Narang has said that in unpatched versions, two functions, duplicator download and duplicator init, are vulnerable, since they are implemented by wp ajax nopriv. In reality, they will execute them, irrespective of whether the user is logged in or not, on any WordPress page enabled.

The file parameter was sanitized but not validated within those functions, which enabled an attacker to use path crossover for accessing files outside the defined path of Duplicator, "Narang clarified.

Wordfence states that all efforts to access wp-config.php files were made during the 60,000 penetration attempts that it saw in its client telemetry.

According to a web-based blog published this week, wp-config.php could contain any amount of personalized code, but it can be used by attackers to access database credentials." "An attacker can access the victim site database directly by using those credentials if remote connections are allowed.

 An attacker can use this access to create its own Admin account and jeopardize the site further or to simply inject content or collect information.

Virtually every attack that scientists saw was from the same IP: 77.71.115.52. The attacks are carried out via GET requests using the query string "action= duplicator download" and "file=/.. /wp-config.php." This is the same for the data center of Bulgaria, which belongs to the EOOD data center of Varna.

There is a few websites on this list that indicate that the attacker could proxy their attacks by means of a compromised website, "added the business.

 In addition, Wordfence added that the same IP address was recently associated with other WordPress malicious activities so that scientists monitor the situation.

Websites are continuing to suffer from vulnerable WordPress plugins. For example, earlier in February a critical error in the popular WordPress plugin was revealed, enabling attackers to modify content or inject malicious JavaScript code into victims websites, helping make websites compliant by the General Data Protection Regulations (GDPR). 700,000 sites have been affected.

The "front door" to an organization is its website and is the target of criminals trying to get access to malicious code and malware for everyone who visits its website," says KnowBe4 security advocate James McQuiggan via email.

"In a well documented and replicable change control program including regular patching, the safety of the website should be extremely robust. Companies with plugins must check and test all updates to reduce the risk of infecting users visiting their websites.

Previous Post Next Post

Found this article interesting? Follow Hackers Review on Facebook, Twitter  and Telegram to read more exclusive content we post.