A faux security alert purports to provide a fix for an RCE flaw, but instead creates a user with admin privileges and spreads a backdoor to infected sites.
December 5, 2023
Attackers are targeting WordPress users with a fake security alert that warns of a fabricated remote code execution (RCE) flaw; it offers a "patch" that in actuality spreads malicious code that can hijack the site.
The email campaign, identified by researchers at both Wordfence and Patchstack, impersonates WordPress and warns users of a vulnerability, CVE-2023-45124, urging them to click on a link to download a plugin that will fix the flaw.
"This is not a legitimate email and the plugin that they are asking you to download and install will infect your website with a backdoor and malicious administrator account," Patchstack warned users in a blog post about the campaign.
Attackers can use the backdoor to conduct malicious activity, such as injecting advertisements into the site, redirecting users to a malicious site, or stealing billing info, according to Patchstack. They also can leverage it for distributed denial of service (DDoS) attacks, or can blackmail site owners by making a copy of the site's database and then holding it hostage for a cryptocurrency payment.
The good news is that so far, it does not appear as if any targets have been infected by the campaign, which requires user action to be successful, the researchers noted.
Moreover, attackers aim to get users to do their dirty work for them by informing victims who install and activate the plugin that "CVE-2023-45124 has been patched successfully” and then encouraging them to share the "patch" with "people you think might be affected by this vulnerability," according to Patchstack.
With hundreds of millions of websites built on WordPress, the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns via plugins that install malware or phishing campaigns that target WordPress users — or, in this case, both. Attackers also tend to quickly pounce on flaws that are discovered in WordPress, a risk of which the current campaign takes full advantage by luring users with the threat of a potentially exploitable vulnerability.
Current indicators of compromise that a site has been infected include the creation of a user with the username "wpsecuritypatch"; the presence of a file called "wp-autoload.php" in the root folder of the WordPress site; the existence of a folder called "wpress-security-wordpress" or "cve-2023-45124" in the /wp-content/plugins/ folder; and outgoing requests sent to wpgate[.]zip, the attacker-controlled site, according to Patchstack.
However, these variables could change depending on the whim of attackers, the researchers warned. "Tomorrow they could very well have the username set to something else or set up another malicious domain name," according to the post.
Wordfence plans to release a future post taking a deeper dive into the plugin and backdoor. For now the researchers warned users that they should be on the lookout for the phishing email associated with the campaign and avoid clicking on any links contained within, even an "unsubscribe" link.
Elizabeth Montalbano, Contributing Writer
Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.
You May Also Like
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
2024 InformationWeek US IT Salary Report
Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022
2023 Global Threat Report
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
The Infoblox Q1 2021 Cyberthreat Intelligence Report
Decode the New SEC Cybersecurity Disclosure Ruling
A Watershed Moment for Threat Detection and Response
Generative AI Gifts
SecOps Checklist
Cisco Panoptica for Simplified Cloud-Native Application Security
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
