The bad news is that a recent wave of cyberattacks has infected WordPress sites in an extensive campaign using JavaScript injections. This hacker operation targets the millions of ordinary users to redirect them to sketchy third-party sites, exploiting flaws and weaknesses in the popular content management system.
Similarly, attackers have recently found a ploy to inject their malicious code into the “functions.php” file — an important theme-related file located within the WordPress platform. This gives them the opportunity to carry out a whole host of nefarious deeds, mostly targeted at that website’s unsuspecting visitors. This injected content is often drive-by malware that poses as fake Cloudflare verification requests, attempting to exploit user trust to infect computers.
The campaign is smartly integrated into a traffic distribution system (TDS) known as Kongtuke. It is referred to as 404 TDS, Chaya_002, LandUpdate808, TAG-124. Security analysts have tagged the domain associated with this TDS as just one element of a much bigger operation. This method allows cybercriminals to distribute information stealers like DeerStealer and Odyssey Stealer, directly targeting Apple macOS devices.
Attack Vectors and Techniques
Using a remote loader, the attackers identify the user’s domain of interest as their target. This loader makes use of HTTP POST requests making the injection of malicious content very seamless. This loader links to a large bot detection and bot challenge platform. Even worse, it creates additional challenges for site administrators to detect and remediate those vulnerabilities.
According to Puja Srivastava, a researcher at Sucuri, “Site visitors get injected content that was drive-by malware like fake Cloudflare verification.” Cybersecurity specialists are still on high alert because of the advanced character of these attacks. This surprise addition of administrator accounts allows hackers to easily avoid detection by ensuring they always have admin level access to hacked WordPress sites.
Marcus Hutchins, a cybersecurity specialist, highlighted a unique aspect of this campaign: “This campaign differs from previous ClickFix variants in that the malicious script does not download any files or communicate with the internet.” Rather, it takes advantage of the local browser cache to persist any data it wants, without making extra network calls. It’s called the Hutchins technique, and Hutchins went into more detail on this method. He wrote, “By just allowing the browser to cache the dummy ‘image,’ the malware can get a whole ZIP file onto the local system without the PowerShell command having to perform any web calls itself.”
Implications for WordPress Administrators
Together with these advancements, WordPress site administrators are under an immediate threat to increase their security. Regularly updating all plugins, themes, and website software is one of the best ways to protect your site from plaguing vulnerabilities, according to industry experts. Plus, beyond implementing strict password policies and frequently scanning sites for unusual activity, these attacks can be prevented.
Microsoft noted that the kits associated with this campaign allow for the creation of landing pages that utilize various lures, including those resembling legitimate services like Cloudflare. This user-hostile tactic increases the odds of successfully duping a user. Because the spoofed interfaces appear to be real, victims will find it difficult to identify the threat.
Amer Elsad emphasized the danger posed by these phishing tools: “This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page commonly deployed by Content Delivery Networks (CDNs) and cloud security providers to defend against automated threats.”
Recommendations for Enhanced Security
Given these discoveries, cybersecurity experts encourage WordPress administrators to take proactive security measures. Performing an audit of user accounts regularly will catch any added unauthorized accounts that shouldn’t be there, like an unknown administrator account. Additionally, using security plugins specifically tailored to tracking and preventing these types of attacks will significantly decrease susceptibility.
In conjunction with that, security analysts advise always having your eyes on incoming threats. Cybercriminals are one step ahead of the game on this one. To protect them, you need to be on the lookout. Understand new attack vectors and new attack methods.