Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Thousands of WordPress Sites hacker through MailPoet flaw

Security experts at Sucuri form have observed a surge of cyber attacks against WordPress website which are using not updated version of MailPoet plugin. A large scale attack has hit more than 50,000 websites, the attacker exploited a recently patched vulnerability in a popular plugin for the WordPress CMS. Early July, experts at security firm Sucuri discovered […]

Thousands of WordPress Sites hacker through MailPoet flaw

Security experts at Sucuri form have observed a surge of cyber attacks against WordPress website which are using not updated version of MailPoet plugin.

A large scale attack has hit more than 50,000 websites, the attacker exploited a recently patched vulnerability in a popular plugin for the WordPress CMS. Early July, experts at security firm Sucuri discovered that websites running WordPress and MailPoet plugin were vulnerable to cyber attacks which allow bad actors to gain total control over targeted WorldPress instances.

MailPoet is a very popular plugin with more than 1.7 million downloads, as explained by experts at Secury, the exploitation of the flaw allows attackers to upload any file of their choice to vulnerable servers.

“An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.” reported blog at Sucuri.

In the three weeks since the disclosure of the flaw, the attackers have exploited the flaw to install a backdoor on a huge quantity of systems, ranging from 30,000 to 50,000 websites, despite some of them don’t run WordPress CMS or don’t have MailPoet enabled.

 

Sucuri MailPoet Infections

 

“To be clear, the MailPoet vulnerability is the entry point,” “It doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.”  wrote Daniel Cid, CTO & Founder of Sucuri, in blog post.

As explained in the blog,  the experts have identified a specific pattern related to the attacks, the attackers start trying to upload a custom and malicious theme to the targeted site:

194.79.195.139 - - [05/Jul/2014:01:41:30 -0700] "POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://site.com.com/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0"

At this point the attacker has the full control of the site accessing the backdoor located in /wp-content/uploads/wysija/themes/mailp/:

194.79.195.139 - - [05/Jul/2014:01:41:31 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "Mozilla/5.0"
194.79.195.139 - - [05/Jul/2014:04:08:16 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"

“The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.” said the blog post.

As explained by expert at Sucuri, the malware injection tries to compromise all PHP files on the targeted server, this means that compromising a single website hosted on the machine using MailPoet it is possible to extend the infection to any other websites on the system. This means that shared hosting are particularly exposed to such kind of attacks, with serious consequences.

“We had a client that all his 20+ sites got injected, because one site inside the same shared account had MailPoet on it. That’s why we were seeing Joomla and Magento sites with the same malware as well. Took us a bit of time to connect all the dots and find the entry point on them.” explained Sucuri representative to Art Technica.

If you have installed MailPoet on your WordPress don’t waste time hurry up and update it!

Pierluigi Paganini

Security Affairs –  (WordPress, privacy)