Nearly 300 WordPress sites have been hacked in a new wave of attacks that began late last week displaying phone encryption alerts to sites. It happens in displaying phone encryption alerts in an attempt to fool site owners into paying 0.1 bitcoin for repair. These ransom demands include a countdown timer, which is intended to create a sense of urgency and possibly fear among web administrators, prompting them to pay the ransom.
Sucuri, a cyber-security firm hired by one of the victims to handle the alleged attack’s incident response, discovered the deception underlying the strikes. The researchers discovered that the websites’ pages had not been encrypted and that the warning was a hoax as soon as they started their inquiry.
What is ransomeware attacks?
Any malicious software (malware) that actually makes a threat or cut down the access limit to a data by encryption is what is called the ransomeware attacks. This malware attack then demands a payment to unlock or decrypt that affected data.
How much Ransom does this attacks claim for WordPress?
While the ransom demand of 0.1 bitcoin ($6,069.23) is little in comparison to what we see in high-profile ransomware operations, it can still be a significant sum for many website owners.
“Thankfully, some website owners engaged us to take a look before panicking and paying the ransom (or completely re-building their website from scratch),” writes Sucuri, who had previously dealt with ransomware assaults on websites.
However, when they examined the files on the web server, they discovered that they were not encrypted. Instead, the warning was a simple HTML page produced by a fake WordPress plugin.
In addition to displaying the warning and the timer, the plugin ran a simple SQL command to discover any posts and pages with the “publish” status and change it to “null,” 404ing all pages and giving the phone attack legitimacy.
The researchers couldn’t tell whether the attackers used brute force to crack the admin password or bought the compromised credentials on the black market.
What are the attacks identified by Sucuri?
Smoke and Mirrors are the attacks that cyber security firm Sucuri has found so far behind the Word Press malfunction.
According to the researchers, the threat actors changed an installed WordPress plugin to display a ransom note and countdown when the websites were not encrypted. In addition to displaying a ransom note, the plugin would modify all WordPress blog posts’ ‘post status’ to ‘null,’ thus declaring them unpublished.
As a result, the actors produced a simple but effective deception, giving the impression that the site had been encrypted.
How the restoration process executed?
The restoration of the site to its previous state is achieved after deleting the plugin. This enables the script to run and republish the posts and the pages. Sucuri investigated the network traffic records further and discovered that the actor’s IP address initially showed in the wp-admin panel. This indicates that the intruders gained access to the site as administrators, either by brute-forcing the password or by purchasing stolen credentials on the dark web. This was not a one-off attack, but rather appears to be part of a larger effort, giving the second scenario greater credence. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites.
Sucuri has identified roughly 291 websites that have been impacted by the attack, with a Google search revealing a mix of sites that have been cleaned up and those that still have ransom notes.
All of the sites included in Bleeping Computer’s search results utilize the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has yet to receive any ransom payments.
How can you protect your WordPress?
To prevent WordPress sites from being hacked, Sucuri recommends the following security practices:
- Examine the site’s admin users, delete any fraudulent accounts, and update or change all wp-admin passwords.
- Protect your wp-admin administrator page with a password.
- Passwords for other access points should be changed as well (database, FTP, cPanel, etc).
- Put your website in front of a firewall.
- Follow solid backup procedures that will make data recovery simple in the event of an actual encryption breach.
Because threat actors frequently target WordPress, it’s also crucial to ensure sure all of your installed plugins are up to date.
Present Update on 18th November 2021
Bleeping Computer received a recent fix for the Directorist plugin, which fixed a vulnerability that allowed low-privilege users to run arbitrary code.
While the plugin isn’t identified as an infiltration point in Sucuri’s report, the vulnerability’s existence makes sense in the context of the attack.
Clearing the virus and restoring the site will not prevent the actors from striking again as long as the Directorist plugin is in an older, vulnerable version.