安全资讯|攻击者正试图占领成千上万的WordPress网站

攻击中利用的问题之一是一个零日漏洞，该漏洞会影响多个插件，并且可能使黑客创建管理员帐户并接管站点。

NinTechNet的研究人员报告了一个持续进行的活动，该活动在过去几个小时内观察到，该活动正在积极利用WordPress的WooCommerce灵活结帐字段中的零日漏洞。

该插件有20,000多个活动安装，并且其开发人员已经修复了影响版本2.3.1及更低版本的未经身份验证的存储XSS错误。

“在过去的几个小时中，该漏洞已得到积极利用，并且有数名用户被黑。我不会提供太多有关此问题的详细信息（尽管黑客已经对此有所了解），但是，基本上，因为任何人都可以访问插件设置，无论是否经过身份验证，黑客都可以使用它来注入新的字段和脚本 进入WooCommerce结帐页面。” 指出专家发表的帖子。

不幸的是，在过去的几个小时里，黑客还针对了其他零日漏洞。

WordPress安全公司Defiant的专家报告了WordPress插件在积极利用下的三个0day。

这三个0day分别是：

• 一个订阅者+存储的XSS，会影响具有100,000多次安装的Async JavaScript插件。
• 未经身份验证的XSS存储在10Web Map Builder for Google Maps插件中，安装量超过20,000。
• 多个订户将XSS存储在具有超过40,000个安装的Modern Events Calendar Lite插件中。

“昨天早些时候， WooCommerce的灵活结帐字段插件进行了重要更新，以修补零日漏洞，攻击者可以利用该漏洞来修改插件的设置。” 阅读WordFence发布的公告。“在我们的威胁情报团队研究此攻击活动的范围时，我们在流行的WordPress插件中发现了三个额外的零日漏洞，这些漏洞已被用作该活动的一部分。目标插件是异步JavaScript，现代事件日历精简版和适用于Google Maps的10Web Map Builder。目前，我们已经与每个插件的开发团队联系，希望能够迅速解决这些问题。”

异步JavaScript和适用于Google Maps的10Web Map Builder的开发团队已经发布了安全更新以解决这个漏洞。

“此攻击活动利用上述插件中的XSS漏洞注入恶意Javascript，这些Javascript可以创建恶意的WordPress管理员并安装包括后门的恶意插件，” WordFence继续说道。“重要的是，使用这些插件的站点管理员必须紧急采取措施来减轻这些攻击。”

对于WordPress网站的管理员来说，现在不是一个好时期，几天前专家警告说，针对流行的Duplicator WordPress插件中的零日漏洞的新一轮攻击。

最近，其他WordPress插件的问题成为头条新闻：

• 2020年1月– InfiniteWP插件中的身份验证绕过漏洞可能会受到300,000多个站点的影响。
• 2020年1月–由于代码片段插件中存在严重的跨站点请求伪造（CSRF）错误，超过20万个WordPress网站受到攻击。
• 2020年2月– ThemeGrill Demo Importer WordPress主题插件存在严重漏洞，活跃安装量超过200,000，可用于擦除网站并获得对该网站的管理员访问权限。
• 2020年2月– GDPR Cookie Consent插件中存储的跨站点漏洞可能会影响70万用户。
• 2020年2月– ThemeREX Addons中的零日漏洞已被黑客积极利用，以创建具有管理员权限的用户帐户。

我认为使用专用解决方案保护WordPress安装非常重要，我目前正在使用WordFence解决方案，该公司已获得评估高级功能的许可。

英文原文：

One of the issues exploited in the attacks is a zero-day vulnerability that affects several plugins and that could allow hackers to create admin accounts and take over the sites.

Researchers at NinTechNet reported an ongoing campaign, observed in the past hours, that is actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin.

The plugin has over 20,000 active installations, and its developers have already fixed the unauthenticated stored XSS bug that affects version 2.3.1 and below.

“The vulnerability has been actively exploited for the past hours and several users have been hacked. I’m not going to give too many details about this issue yet (although hackers already know about it), but, basically, because the plugin settings can be accessed by anybody, authenticated or not, hackers use it to inject new fields and scripts into the WooCommerce checkout page.” states the post published by the experts.

Unfortunately, other zero-day vulnerabilities were targeted by hackers in the past hours.

Experts at WordPress security firm Defiant reported three zero-day vulnerabilities in WordPress plugin under active exploitation.

The zero-day flaws are:

• a subscriber+ stored XSS affecting the Async JavaScript plugin that has over 100,000 installs.
• an unauthenticated stored XSS in the 10Web Map Builder for Google Maps plugin that has over 20,000 installs.
• multiple subscriber stored XSS in Modern Events Calendar Lite plugin that has over 40,000 installs.

“Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings.” reads the advisory published by WordFence. “As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this campaign. The targeted plugins were Async JavaScript, Modern Events Calendar Lite, and 10Web Map Builder for Google Maps. At this time, we have reached out to each plugin’s development team in hopes of getting these issues resolved quickly.”

The development teams behind the Async JavaScript and 10Web Map Builder for Google Maps have already issued security updates to address the zero-day flaws.

“This attack campaign exploits XSS vulnerabilities in the above plugins to inject malicious Javascript that can create rogue WordPress administrators and install malicious plugins that include backdoors,” continues WordFence. “It is important that site administrators using these plugins urgently take steps to mitigate these attacks.”

It is not a good period for administrators of WordPress sites, a few days ago experts warned of a new wave of attacks targeting a zero-day vulnerability in the popular Duplicator WordPress Plugin.

Recently the issues with other WordPress plugins made the headlines:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

文章由白帽技术与网络安全翻译整理，未经授权禁止转载！