Attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager are ramping up, warns the Wordfence Threat Intelligence team
Attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager are ramping up, warns the Wordfence Threat Intelligence team at WordPress security company Defiant.
With over 700,000 active installs, File Manager is a highly popular WordPress plugin that provides admins with file and folder management capabilities (copy/paste, delete, download/upload, edit, and archive).
In early September 2020, the plugin’s developer addressed a critical-severity zero-day flaw that was already being actively targeted. Assessed with a CVSS score of 10, the flaw can allow attackers to remotely execute code on a vulnerable installation.
The issue is related to code taken from the elFinder project, with the File Manager developers renaming the elFinder library’s connector.minimal.php.dist file to .php, to have it execute directly. This, however, opened the plugin to attackers.
Nearly two weeks after a patch for the vulnerability was released, multiple threat actors are targeting unpatched installations, Wordfence researchers reveal.
Within days after the zero-day was patched, attackers were targeting over 1.7 million sites, but that number increased to 2.6 million as of September 10.
“We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php file,” Wordfence notes.
The most active of the attackers is a Moroccan threat actor referred to as “bajatax,” which modifies the vulnerable connector.minimal.php file to prevent further attacks. This is the first threat actor observed targeting the vulnerability at scale.
Once it manages to compromise a website, the attacker adds code to exfiltrate user credentials using the Telegram messenger’s API. The code is added to the WordPress core user.php file and, if WooCommerce is installed, two more files are modified to steal user credentials.
A second adversary targeting the security flaw is attempting to inject a backdoor into the vulnerable websites, and is protecting the connector.minimal.php file with a password, in an attempt to prevent other infections. However, it appears that the threat actor is using a consistent password across infections.
Two copies of the backdoor are inserted into the infected website, one in the webroot and the other in a randomized writable folder, likely in an attempt to ensure persistence. The attacker leverages the backdoors to modify core WordPress files which would then be abused for monetization purposes, based on the threat actor’s previously observed modus operandi.
On many of the compromised websites, Wordfence discovered malware from multiple adversaries. Attacks targeting the vulnerability were observed originating from more than 370,000 separate IP addresses, with almost no overlaps between the IPs used by the two most active attackers.
“As more and more users update or remove the File Manager plugin, control of any infected sites will likely be split between these two threat actors,” Wordfence notes.
Site administrators are advised to update the File Manager plugin as soon as possible, but also to scan their website for possible compromise and to remove any malicious code they might find.