Email
Password
Remember meForgot password?
    Log in with Twitter

article imageHacking 'feeding frenzy' defaces 1.5 million webpages

By James Walker     Feb 10, 2017 in Technology
Over 1.5 million webpages from 39,000 different websites have been defaced by hackers in the past two days. The group is exploiting a vulnerability in popular content management system WordPress, allowing pages to be modified by unauthorised users.
Security firm Securi discovered the attacks in January. It reported the bug to WordPress and an updated version has since been released. However, not everyone has installed the patch, leaving a large pool of sites at risk of hijacking.
Four distinct hacking groups have mounted campaigns to deface WordPress websites. The most successful collective, known as w4l3XzY3, has modified over 66,000 webpages, adding "by w4l3XzY3" to page titles. The attackers are attempting to make money from the defacements by injecting spam images and content into pages, artificially boosting their search engine rankings.
The campaigns target websites with popular plugins such as Insert PHP and Exec-PHP installed. These allow website administrators to directly edit the code of their webpages, making it easier to add advanced functionality. A weakness in WordPress' API lets the hackers run malicious code on the site and obtain access to a backdoor.
Because the vulnerability is so easy to exploit, attackers are rushing to deface sites in a quest to make money. With around 40,000 websites already impacted, the effects are being felt across the internet. The defaced pages can be found by typing the signatures of the hacking groups into a search engine.
"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," Mark Maunder, founder and CEO of security firm WordFence, said to Bleeping Computer.
Maunder added that his company has logged 800,000 attacks against WordPress sites during the past 48 hours. They all stemmed from the software's REST API vulnerability that enables exploit of PHP execution plugins.
A sample of WordPress pages defaced by hacking group w4l3XzY3
A sample of WordPress pages defaced by hacking group w4l3XzY3
Website administrators should install WordPress version 4.7.2 to protect themselves against the attacks. The update was released on January 26. WordPress detailed the REST API issue in a separate post a week later, saying it "is in the public's best interest" to be aware of the vulnerability.
WordPress delayed the disclosure so sites could install the update before hackers got to know the details. At the time, neither WordPress nor Securi had found any successful exploits in the wild. Although controversial, the decision enabled millions of sites to safely update while attackers were still unaware of the ease of exploit.
"We believe transparency is in the public's best interest," said the team behind WordPress. "It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites."
WordPress thanked Securi for responsibly detailing the issue. It urged WordPress administrators to install version 4.7.2 as soon as possible. The organisation has alerted other potential information points, including Google's Search Console. Google emailed WordPress 4.7.0 and 4.7.1 users last weekend, telling them to update immediately.
More about Wordpress, Cybersecurity, Hacking
 
Latest News
Top News