Cybercriminals have been leveraging a vulnerability in a popular WordPress plugin to redirect the visitors of thousands of websites to exploit kits, a researcher has warned.

Security experts at Germany’s Computer Emergency Response Team (CERT-Bund) and Yonathan Klijnsma reveals that at least 3,000 websites have been compromised by attackers exploiting a known vulnerability in the Slider Revolution (RevSlider) plugin. Once again, a WordPress plugin is used hack into a website, this flaw was fixed silently by the developmet team in February 2014, but the existence of the vulnerability came to light in September 2014, when it was exploited worldwide by criminal crews.

Cyber criminals exploiting the flaw in RevSlider plugin to hijack thousands of websites running the vulnerable version.

In December 2014, experts at Sucuri firm reported that more than 100,000 WordPress websites had been compromised and used to serve the SoakSoak malware.

“Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.” reported Sucuri. “The impact seems to be affecting most hosts across the WordPress hosting spectrum. Quick breakdown of the decoding process is available via our PH

Returning to the present day, the RevSlider vulnerability is being exploited once again by bad actors that have been injecting malicious iframes on vulnerable websites in an effort to redirect visitors to domains hosting exploit kits.

Yonathan Klijnsma detailed the attack chain in a blog post, the cyber criminals compromised the websites by exploiting a local file inclusion (LFI) vulnerability. The exploitation of the LFI flaw allows attackers to access server file system, then the attackers create a new administrator account, upload a malicious script and complete the attack by installing backdoors to files associated with other WordPress plugins.

Investigation on one of the compromised sites shows the attackers performed the following steps:

  • RevSlider was abused to add an extra Administrator account
  • The attacker uploaded a script called ‘smart.php’
  • Edited 3 files in the WordPress installation; 2 files inside other plugins were backdoored with a code execution backdoor and the WordPress ‘nav-menu.php’ file was modified

Typically, attackers redirected victims to websites hosting the popular Fiesta exploit kit, but Klijnsma explains that they also used the Angler exploit kit for the malicious campaign.

The exploit kits are used several strain of malware, including the popualr Cryptowall 3.0 ransomwarefinancial trojans, and ad fraud malware.

“It just depends who rents ‘loads’ on these instances,” explained Klijnsma.

The attackers hosted the exploit kits through domains that are all hosted at dynamic DNS providers and have all been set to a short Timt To Live.

The CERT-Bund collected precious information to profile the hacking campaign, over half of the compromised websites are .com and the majority of them is hosted in the United States. The campaign also involved websites in the Netherlands, Germany, France, Spain, the United Kingdom, Italy, Poland, Canada and Singapore.

w1

Klijnsma suggests to administrators whose websites have been compromised to remove all accounts and create new ones with new passwords because the attackers have gained administrative access to the site compromising all the accounts the moment of the attack.

“Check all PHP files for modifications by comparing them to files from the official WordPress website (or own local copies if you are 100% sure they are unaffected). Any modified files should be replaced with the normal ones,” suggested Klijnsma .

As mitigation action, it is suggested to update the RevSlider plugin to the latest version. Be careful because many themes  include the popular plugin, this means that your website could be vulnerable without your knowledge, in this case use the patch for RevSlider available on the official WordPress website.

Pierluigi Paganini