Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

1.6 million WordPress sites targeted in the last couple of days

Wordfence experts detected a massive wave of attacks in the last couple of days that targeted over 1.6 million WordPress sites. Wordfence researchers spotted a massive wave of attacks in the days that are targeting over 1.6 million WordPress sites from 16,000 IPs. “Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks […]

WordPress attacks

Wordfence experts detected a massive wave of attacks in the last couple of days that targeted over 1.6 million WordPress sites.

Wordfence researchers spotted a massive wave of attacks in the days that are targeting over 1.6 million WordPress sites from 16,000 IPs.

“Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites.” reads the post published by Wordfence. “Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses.”

The attacks are originating from 16,000 IP addresses and are targeting four WordPress plugins and fifteen Epsilon Framework themes.

WordPress attacks

Below is the list of affected plugins:

while the targeted Epsilon Framework themes are:

Below are the top 10 offending IPs observed:

  • 144.91.111.6 with 430,067 attacks blocked.
  • 185.9.156.158 with 277,111 attacks blocked.
  • 195.2.76.246 with 274,574 attacks blocked.
  • 37.187.137.177 with 216,888 attacks blocked.
  • 51.75.123.243 with 205,143 attacks blocked.
  • 185.200.241.249 with 194,979 attacks blocked.
  • 62.171.130.153 with 192,778 attacks blocked.
  • 185.93.181.158 with 181,508 attacks blocked.
  • 188.120.230.132 with 158,873 attacks blocked.
  • 104.251.211.115 with 153,350 attacks blocked.

Experts noticed that in most cases, the threat actors are enabling the users_can_register option and setting the default_role option to administrator. Then the attackers are able to register on any site as an administrator and take over the site.

Site admins could determine if their site has been compromised by reviewing the user accounts on the site to determine if there are any unauthorized user accounts. Indicators of compromise include the presence of a vulnerable version of any of the above plugins or themes along with the presence of a rogue user account.

Researchers recommend removing any rogue accounts and updating your plugins and themes as soon as possible

Experts also recommend reviewing the settings in http://examplesite[.]com/wp-admin/options-general.php page focusing on Membership` and `New User Default Role` settings.

“We strongly recommend ensuring that all of your sites have been updated to the patched versions of the plugins and themes.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]