c/side researchers have discovered an ongoing cyberattack against WordPress-hosted sites. The experts uncovered the campaign while responding to an attack orchestrated against one of c/side’s clients, a cybersecurity tool designed to monitor, secure, and optimize third-party scripts used on websites.
Attack vector not yet known
The operation aims to steal data from websites. To do so, hackers must first penetrate the victim’s infrastructure. Despite its investigation, c/side has not discovered how the cybercriminals went about compromising the targeted sites. The initial vector of the attack is still a mystery.
A domain and a malicious script
Once inside the sites, the attackers will load a malicious script from a domain, https://wp3[.]xyz/td.js. The script will create “unauthorized administrator accounts” by digging into its own source code. The script contains the username and password associated with these created accounts.
The script will then download a malicious WordPress plugin from the domain mentioned above. This plugin will send “sensitive data to a remote server”. As c/side explains, the plugin is designed to steal credentials and site administrator logs. According to c/side, "over 5,000 sites worldwide" were affected.
How to protect your site from hackers?
To avoid falling into the hackers' trap, c/side recommends first blocking the domain https://wp3[.]xyz/td.js using the firewall. By blocking this domain, all communication with it (downloads, data uploads, requests) is prohibited. This measure will cut the grass under the hackers' feet and prevent them from carrying out the attack to its conclusion.
In addition, the researchers advise administrators to review accounts to identify and remove unauthorized users. If you’re in the crosshairs of the cyberattack, you should come across malicious administrator accounts. Do the same with all the plugins installed on your WordPress site. At the same time, consider setting up a two-factor authentication system, which should once again complicate the life of attackers.
Finally, c/side recommends implementing CSRF (Cross-Site Request Forgery) protections, designed to prevent an attacker from forcing an authenticated user to perform malicious actions without their knowledge. While we wait to learn more about the origin of the cyberattack, these precautions should help you protect your website.
Source: c/side
0 Comments