Attackers who are actively exploiting a critical remote code execution flaw affecting over 600,000 of WordPress sites running vulnerable File Manager plugin versions have also been seen protecting the sites they compromise from other threat actors’ attacks.
The critical vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code following successful exploitation [1, 2, 3]. File Manager’s dev team addressed the flaw with the release of File Manager 6.9.
Even though the flaw was patched within hours after the devs were informed by Seravo’s on-call security officer Ville Korhonen who discovered the zero-day flaw and the ongoing attacks trying to exploit it, researchers with WordPress security firm Defiant spotted more than 1.7 million sites being probed by threat actors between September 1st and September 3rd.
In an updated report published today, Defiant threat analyst Ram Gall says that the threat actors haven’t stopped their siege, with the total number of WordPress sites being targeted going up to 2.6 million.
File Manager’s dev team addressed the actively exploited critical vulnerability with the release of File Manager 6.9
Multiple threat actors are currently targeting this vulnerability on sites running vulnerable versions of the File Manager plugin according to Defiant, but two of them have had the most success in deploying malware on vulnerable sites.
One of them is bajatax, a Moroccan threat actor previously known for having a penchant for stealing user credentials from PrestaShop e-commerce websites.
Once he manages to compromise a WordPress site as part of the ongoing attacks, bajatax injects malicious code that harvests and exfiltrates user credentials via Telegram on any login attempt, later to be sold to the highest bidder.
The other one injects a backdoor in a randomized folder and into the site’s webroot, both camouflaged as .ico files, to lower the chance that the site admin will find both and cut oof the threat actor’s access to the website.
As Gall explains, the PHP infector used by this second attacker is a variant of an infection previously used to deploy cryptominers and run SEO spam campaigns via compromised sites.
Fighting Over Control
Both of them have been seen by Defiant while trying to block other attackers’ exploit attempts by password protecting the exploitable connector.minimal.php file on sites they’ve infected.
“Our site cleaning team has cleaned a number of sites compromised by this vulnerability, and in many cases, malware from multiple threat actors is present,” Gal explains.
“The aforementioned threat actors have been by far the most successful due to their efforts to lock out other attackers, and are collectively using several thousand IP addresses in their attacks.”
NinTechNet, who also reported the exploit attempts when the attacks started, also discovered the attackers’ attempts to block others from compromising already infected site by password protecting files exposed to writing by the File Manager flaw.
Blocking further exploitation (NinTechNet)
In all, Defiant’s researchers saw attacks trying to exploit this vulnerability originating from more than 370,000 separate IP addresses, with almost no overlap in backdoor access activity.
“The single exception is the IP 188.8.131.52, which appears to be a third party opportunistically checking for the presence of both of these backdoors and then attempting to add a backdoor of its own, without much success,” Gal added.