Two cyber-security companies responsible for providing firewall plugins for WordPress websites have observed attacks on a zero-day vulnerability in a popular WordPress plugin.
The companies were able to identify at least two hacking groups abusing the zero-day to change the settings of their website, create duplicate admin accounts, and then hijack traffic from the hacked sites.
According to the research by the security companies, the zero-day abuse by the hackers resides in "Easy WP SMTP," a WordPress plugin with over 300,000 active installs. The plugin’s main feature is to enable the website owners to configure the SMTP settings of their site server’s outgoing emails.
NinTechNet, the company behind the Ninja Firewall for WordPress was the first to notice the attacks on Friday, March 15. NinTechNet immediately reported their findings to the plugin’s author, who patched the zero-day on Sunday with the release of version 1.3.9.1.
Despite the patch, the attacks didn’t stop and continued throughout the week. In fact, the attackers gained momentum with time and tried to compromise as many sites before the owners noticed.
Defiant, the cybersecurity firm that manages the Wordfence WordPress firewall claimed that it notice the attacks occurring even after the patch. The company gave a detailed analysis of their observation in a report where they claimed that the attackers exploited a settings export/import feature that was added to the Easy WP SMTP plugin in version 1.3.9. Defiant claimed that the hackers found a hole in the function part of the import/export feature that allowed them to alter a site’s overall settings – not just the ones related to the plugin.
The hackers scan the sites with this plugin and then modify the settings linked with user registration – a feature that many WP site owners have kept disabled for security reasons.
In the attack spotted by NinTechNet before the patch, the hackers modified the “wp_user_roles” option that controls the permissions of the ‘subscriber’ role on WP sites, enabling the subscriber with the same responsibilities as the admin.
In non-technical words, the hackers utilized the vulnerability to register new accounts that appeared as subscribers in the WP site’s database but apparently, these accounts had similar abilities as an admin account.
In the follow-up attacks that were detected by Defiant, hackers switched their mode of operation and began modifying the ‘default role’ settings instead of the previously used ‘wp_user_roles.’ With the new attack, all newly created accounts replicated the responsibilities of admin accounts.
According to Defiant reports, both the hacker groups follow the latest routine.
However, Defiant claims that the similarity ends there. While one of the two groups stops any activity after creating a backdoor admin account on the hacked site, the second group modifies the website to redirect visitors to malicious sites.
Another WordPress security firm White Fir Design also published the same warning in their report on these attacks and predicts that several other flaws present in the same plugin might be abused.
Being one of the leading CMS systems, WP websites are prone to hacks. A report published by cyber-security firm Sucuri revealed that 90 percent of all hacked content managing systems are WordPress websites.
Update: Within a few hours of the publication of this article, news started circulating regarding a second zero-day exploit by the hackers. This second zero-day is determined to influence the Social Warfare plugin, which has been removed temporarily from the main WordPress plugins repository - until the developer provides an update.
"Our development team has submitted Social Warfare V3.5.3 to the Wordpress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your Wordpress dashboard and apply this update as soon as possible.", tweeted Warfare Plugins team.
Read Next: Facebook And Instagram Stored Millions Of Passwords In Plain Text Format
The companies were able to identify at least two hacking groups abusing the zero-day to change the settings of their website, create duplicate admin accounts, and then hijack traffic from the hacked sites.
According to the research by the security companies, the zero-day abuse by the hackers resides in "Easy WP SMTP," a WordPress plugin with over 300,000 active installs. The plugin’s main feature is to enable the website owners to configure the SMTP settings of their site server’s outgoing emails.
NinTechNet, the company behind the Ninja Firewall for WordPress was the first to notice the attacks on Friday, March 15. NinTechNet immediately reported their findings to the plugin’s author, who patched the zero-day on Sunday with the release of version 1.3.9.1.
Despite the patch, the attacks didn’t stop and continued throughout the week. In fact, the attackers gained momentum with time and tried to compromise as many sites before the owners noticed.
Defiant, the cybersecurity firm that manages the Wordfence WordPress firewall claimed that it notice the attacks occurring even after the patch. The company gave a detailed analysis of their observation in a report where they claimed that the attackers exploited a settings export/import feature that was added to the Easy WP SMTP plugin in version 1.3.9. Defiant claimed that the hackers found a hole in the function part of the import/export feature that allowed them to alter a site’s overall settings – not just the ones related to the plugin.
The hackers scan the sites with this plugin and then modify the settings linked with user registration – a feature that many WP site owners have kept disabled for security reasons.
In the attack spotted by NinTechNet before the patch, the hackers modified the “wp_user_roles” option that controls the permissions of the ‘subscriber’ role on WP sites, enabling the subscriber with the same responsibilities as the admin.
In non-technical words, the hackers utilized the vulnerability to register new accounts that appeared as subscribers in the WP site’s database but apparently, these accounts had similar abilities as an admin account.
In the follow-up attacks that were detected by Defiant, hackers switched their mode of operation and began modifying the ‘default role’ settings instead of the previously used ‘wp_user_roles.’ With the new attack, all newly created accounts replicated the responsibilities of admin accounts.
According to Defiant reports, both the hacker groups follow the latest routine.
However, Defiant claims that the similarity ends there. While one of the two groups stops any activity after creating a backdoor admin account on the hacked site, the second group modifies the website to redirect visitors to malicious sites.
Fixing vulnerable sites
Websites that use the Easy WP SMTP plugin are advised to update their files to the recent versions of v1.3.9.1. After updating the plugins, both the cybersecurity companies recommend performing an audit on the site’s user section for newly added accounts on both levels – i.e. the subscriber and the admin.Another WordPress security firm White Fir Design also published the same warning in their report on these attacks and predicts that several other flaws present in the same plugin might be abused.
Being one of the leading CMS systems, WP websites are prone to hacks. A report published by cyber-security firm Sucuri revealed that 90 percent of all hacked content managing systems are WordPress websites.
Update: Within a few hours of the publication of this article, news started circulating regarding a second zero-day exploit by the hackers. This second zero-day is determined to influence the Social Warfare plugin, which has been removed temporarily from the main WordPress plugins repository - until the developer provides an update.
"Our development team has submitted Social Warfare V3.5.3 to the Wordpress update-repository, which addresses this vulnerability and undoes any changes it makes. Please log-in to your Wordpress dashboard and apply this update as soon as possible.", tweeted Warfare Plugins team.
Read Next: Facebook And Instagram Stored Millions Of Passwords In Plain Text Format
