Threat Analysis: New APT Targeting WordPress Theme & Plugin Vulnerabilities

Over the course of the last 2 weeks hackers have managed to uncover different “0Days” found within the framework of various WordPress themes/plugins, and I put the term ODays in “quotations” because, technically speaking, they aren’t necessarily 0Days in the historical sense of the word. Rather, these new attacks utilize a different means of bypassing security to gain administrator privileged and/or steal data. Put another way, the vulnerabilities you will find below aren’t masterfully written pieces of malware, rather, they are cleverly written Uniform Resource Locators (URL’s) that exploit holes or “bugs” accidentally built into the framework of different WordPress themes and plugins.

Before getting into my findings, last week Rogue Security Labs uncovered/published two separate “0Days” effecting WordPress owners, analysis of which you can find under the reports section of this website. The first targeted CherryFramework themes, allowing hackers to download site database backup files. The second leveraged an XSS vulnerability within the Easy Testimonials version 3.2 plugin, allowing for hackers to escalate privileges attached to the back end of a WordPress owners account.

Example of the URL Address Used To Compromise CherryFramework:

No automatic alt text available.

Example of the URL Address Used To Compromise Easy Testimonials:

No automatic alt text available.

With that established, over the course of the last two weeks, perhaps in retaliation for all the leaks I’ve been releasing, Rogue Security Labs has successfully absorbed approximately 423 “Web Application Attacks” primarily originating out of Ukraine. Interestingly enough, while trying to trace the IP Address back to the source, I managed to uncover a secret message the hacker had left behind – embedded within their network activity. Reading: “!!!! WE DONT ACCEPT POST from RUSSIA !!! SANCTIONS !!!!” – perhaps indicating that the Ukrainian attackers are attempting to leverage hacks against people, persons or entities they feel support the Russian Federation? Therefore using Web Application Attacks as a type of weapon to take down websites turning them into some sort de facto sanction against internet companies trying to do business online?

While I am not entirely sure what their motives are, what I do know is that none of their attacks was successful in bringing down my site, and to this day not a single hacker has ever been able to compromise my security. Moreover, studying their efforts/techniques more directly revealed some unique insights into how they’ve managed to take down or compromise other WordPress sites throughout the past. For example, on November 15th my firewall logged a URL attempting to exploit a ODay effecting the GDPR Compliance plugin – 24 hours before news of the vulnerability was first released to the public on November 16th.
Example – GDPR Plugin Attack:

Image may contain: text

Then again, on November 16th, my firewall logged another URL tied to a different 0Day built into the CherryFramework theme for WordPress, almost a week before the exploit was first published online by yours truly – ironically enough, completely unrelated to the attempted hacks on my site.

ExampleCherryFramework Attack:

Image may contain: text

Perhaps even more interesting, at least from my perspective, is the fact that both these URL’s/0Days were logged from the same IP Address/hacker – along with well over 200 others just like them, mostly all targeting different themes and plugins with extremely specifically URL endpoint destinations. Tying all of this information together, it wouldn’t then be a stretch to imagine that the rest of those URL’s also open up different previously undisclosed 0Days/vulnerabilities. Consequently enough, this is exactly why I am releasing this threat analysis here today.

All said and done, after I finally decided to blacklist the attackers and cut them off for good, upon auditing my firewall logs, I managed uncover approximately 423 Web Application Attacks. Breaking down the data further, Rogue Security Labs managed to document 0Days effecting up to 19 WordPress theme designs and 17 WordPress plugins – including the two 0Days outlined above. Please note that the URL’s listed below do not magically open up some sort of magic door to exploit websites, rather, they offer a means or window through which a hacker can exploit a website, either through some sort of SQL injection vulnerability or XSS attack on the specific URL entered. Moreover, the hackers choose these exact themes and plugins for a reason, likely because they have successfully compromised these same themes and plugins at one point or another in the past – which also explains why they automatically incorporate it into every Web App Attack they launch against WordPress in the first place.

Full List of Vulnerable Themes:

Peekaboo Theme by Theme Forest:

No automatic alt text available.

Sketch Theme by Automattic:

Image may contain: text

Hello Theme by BrandiD:

No automatic alt text available.

Porto Theme by Porto:

No automatic alt text available.

t98-Sade Theme by Themetix:

Avada Theme by Avada:

No automatic alt text available.

TwentySeventeen Theme by WordPress.org:

Image may contain: text

Poseidon Theme by Themezee:

No automatic alt text available.

Belleza Theme by alexathemes:

No automatic alt text available.

Still other attacks attempted to remotely access either php files or 404 error logs through URL addresses tied to the databases within the framework of various themes, including:

  • Aqua
  • Default
  • Aggregator
  • TwentyEleven
  • Bootcake2
  • Zen Water
  • Gua Kingo
  • Pridmay
  • Black Power

Full List of Vulnerable Plugins:

SimplePie, Smart Google Code Inserter & Ultimate Member Plugins:

No automatic alt text available.

WooCommerce & Custom CSS

No automatic alt text available.

All In One SEO

Image may contain: text

Easy Rotator for WordPress & Contact Form 7

No automatic alt text available.

WP Layer Slider

Image may contain: text

Background Image Cropper

Image may contain: text

Kiwi Social Share

Image may contain: text

Cherry GPL Plugin:

Image may contain: text

Link Love Plugin:

Image may contain: text

Libravatar Plugin:

Image may contain: text

API Key:

Image may contain: text

Post Slider Carousel:

No automatic alt text available.

Other attack variations attempted to hijack pages tied to plugins utilizing ajax. For example:

No automatic alt text available.

I also detected various attempted “SQL Injections” and “XSS Attacks” attempting to exploit holes in my websites headers or inject code in the embedded images found on my various posts/articles, expecting that I hadn’t hardened my headers, blocked bad query strings or disabled copy and pasting:

No automatic alt text available.

Other attacks attempted to leveraged cashed versions of my website, in hopes of finding earlier versions of the website that may have been perhaps less secure than the current versions they were attacking:

Image may contain: text

No automatic alt text available.

And finally, the last string of attacks I faced was launched out of Budapest, attempting to hijack or exploit my Emails DNS:

No automatic alt text available.

No automatic alt text available.

As previously stated, none of the hacks above managed to compromise my site – even if they may have compromised others throughout the past. Not knowing my theme or security design ahead of time, I suspect the hackers just threw everything they had at me to see what, if anything, would stick. If you would like to learn more about how to mitigate these attack styles in the future, or how to fully harden your WordPress account/website outside of JetPack, which does nothing to prevent SQL Injections, XSS attacks, Brute Force Attacks, DDoS attacks or really anything else for that matter – #ShotsFired – I have prepared an extensive WordPress security tutorial on this subject.

Request A Copy: BrianDunn@RogueSecurityLas.Ltd

Do NOT follow this link or you will be banned from the site!
%d bloggers like this: