Over the course of the last 2 weeks hackers have managed to uncover different “0Days” found within the framework of various WordPress themes/plugins, and I put the term ODays in “quotations” because, technically speaking, they aren’t necessarily 0Days in the historical sense of the word. Rather, these new attacks utilize a different means of bypassing security to gain administrator privileged and/or steal data. Put another way, the vulnerabilities you will find below aren’t masterfully written pieces of malware, rather, they are cleverly written Uniform Resource Locators (URL’s) that exploit holes or “bugs” accidentally built into the framework of different WordPress themes and plugins.
Before getting into my findings, last week Rogue Security Labs uncovered/published two separate “0Days” effecting WordPress owners, analysis of which you can find under the reports section of this website. The first targeted CherryFramework themes, allowing hackers to download site database backup files. The second leveraged an XSS vulnerability within the Easy Testimonials version 3.2 plugin, allowing for hackers to escalate privileges attached to the back end of a WordPress owners account.
Example of the URL Address Used To Compromise CherryFramework:
Example of the URL Address Used To Compromise Easy Testimonials:
With that established, over the course of the last two weeks, perhaps in retaliation for all the leaks I’ve been releasing, Rogue Security Labs has successfully absorbed approximately 423 “Web Application Attacks” primarily originating out of Ukraine. Interestingly enough, while trying to trace the IP Address back to the source, I managed to uncover a secret message the hacker had left behind – embedded within their network activity. Reading: “!!!! WE DONT ACCEPT POST from RUSSIA !!! SANCTIONS !!!!” – perhaps indicating that the Ukrainian attackers are attempting to leverage hacks against people, persons or entities they feel support the Russian Federation? Therefore using Web Application Attacks as a type of weapon to take down websites turning them into some sort de facto sanction against internet companies trying to do business online?
While I am not entirely sure what their motives are, what I do know is that none of their attacks was successful in bringing down my site, and to this day not a single hacker has ever been able to compromise my security. Moreover, studying their efforts/techniques more directly revealed some unique insights into how they’ve managed to take down or compromise other WordPress sites throughout the past. For example, on November 15th my firewall logged a URL attempting to exploit a ODay effecting the GDPR Compliance plugin – 24 hours before news of the vulnerability was first released to the public on November 16th.
Example – GDPR Plugin Attack:
Just a reminder. Last week, hackers targeted WP sites using the WP GDPR Compliance plugin.
This campaign against sites using AMP for WP is the second such campaign within the span of a week.https://t.co/4lUvQs16qJ
— Catalin Cimpanu (@campuscodi) November 20, 2018
Then again, on November 16th, my firewall logged another URL tied to a different 0Day built into the CherryFramework theme for WordPress, almost a week before the exploit was first published online by yours truly – ironically enough, completely unrelated to the attempted hacks on my site.
Example – CherryFramework Attack:
Hacker going by the name of b1p0l4r has disclosed a new #0Day #exploit effecting CherryFramework #WordPress theme owners, allowing for remote downloads of site backup zip files. #RogueSecurityLabs: https://t.co/OClmY584g0
— Rogue Security Labs (@Rogu3_Labs) November 21, 2018
Perhaps even more interesting, at least from my perspective, is the fact that both these URL’s/0Days were logged from the same IP Address/hacker – along with well over 200 others just like them, mostly all targeting different themes and plugins with extremely specifically URL endpoint destinations. Tying all of this information together, it wouldn’t then be a stretch to imagine that the rest of those URL’s also open up different previously undisclosed 0Days/vulnerabilities. Consequently enough, this is exactly why I am releasing this threat analysis here today.
All said and done, after I finally decided to blacklist the attackers and cut them off for good, upon auditing my firewall logs, I managed uncover approximately 423 Web Application Attacks. Breaking down the data further, Rogue Security Labs managed to document 0Days effecting up to 19 WordPress theme designs and 17 WordPress plugins – including the two 0Days outlined above. Please note that the URL’s listed below do not magically open up some sort of magic door to exploit websites, rather, they offer a means or window through which a hacker can exploit a website, either through some sort of SQL injection vulnerability or XSS attack on the specific URL entered. Moreover, the hackers choose these exact themes and plugins for a reason, likely because they have successfully compromised these same themes and plugins at one point or another in the past – which also explains why they automatically incorporate it into every Web App Attack they launch against WordPress in the first place.
Full List of Vulnerable Themes:
Peekaboo Theme by Theme Forest:
Sketch Theme by Automattic:
Hello Theme by BrandiD:
Porto Theme by Porto:
t98-Sade Theme by Themetix:
Avada Theme by Avada:
TwentySeventeen Theme by WordPress.org:
Poseidon Theme by Themezee:
Belleza Theme by alexathemes:
Still other attacks attempted to remotely access either php files or 404 error logs through URL addresses tied to the databases within the framework of various themes, including:
- Zen Water
- Gua Kingo
- Black Power
Full List of Vulnerable Plugins:
Other attack variations attempted to hijack pages tied to plugins utilizing ajax. For example:
I also detected various attempted “SQL Injections” and “XSS Attacks” attempting to exploit holes in my websites headers or inject code in the embedded images found on my various posts/articles, expecting that I hadn’t hardened my headers, blocked bad query strings or disabled copy and pasting:
Other attacks attempted to leveraged cashed versions of my website, in hopes of finding earlier versions of the website that may have been perhaps less secure than the current versions they were attacking:
And finally, the last string of attacks I faced was launched out of Budapest, attempting to hijack or exploit my Emails DNS:
As previously stated, none of the hacks above managed to compromise my site – even if they may have compromised others throughout the past. Not knowing my theme or security design ahead of time, I suspect the hackers just threw everything they had at me to see what, if anything, would stick. If you would like to learn more about how to mitigate these attack styles in the future, or how to fully harden your WordPress account/website outside of JetPack, which does nothing to prevent SQL Injections, XSS attacks, Brute Force Attacks, DDoS attacks or really anything else for that matter – #ShotsFired – I have prepared an extensive WordPress security tutorial on this subject.
Request A Copy: BrianDunn@RogueSecurityLas.Ltd