Hackers actively target vulnerable WordPress websites in an effort to take advantage of a widespread WooCommerce Payments plugin vulnerability and gain admin rights.
The WooCommerce Payments plugin, with more than 600,000 active installations, facilitates credit and debit card payments in WooCommerce stores.
The Wordfence Threat Intelligence team’s cybersecurity analysts recently discovered the vulnerability in the WooCommerce Payments plugin, and they have tracked it as CVE-2023-28121.
Massive attacks exploited the vulnerability from July 14–16, 2023, with 1.3 million attacks on 157,000 sites at their peak.
Automattic enforced security fixes for WordPress sites, preventing remote users from impersonating admins and gaining full control. While no active exploits were reported, researchers cautioned against future exploitation due to the critical nature of the bug.
Wordfence researchers discovered attackers exploiting a flaw in WooCommerce Payments by adding a ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ header, granting full control over vulnerable WordPress sites, as demonstrated through a proof-of-concept exploit by RCE Security.
To execute code remotely on the vulnerable site, the threat actor installs the WP Console plugin by exploiting administrative privileges.
A request attempting to install the wp-console plugin (Source: Wordfence)
WP Console, once installed, empowers threat actors to execute PHP code and deploy a persistent file uploader as a backdoor, maintaining access even after patching the vulnerability.
A request attempting to use the wp-console plugin to execute malicious code (Source: Wordfence)
This attack seems to be focused on a smaller group of websites, and the early warning signs included a surge in plugin enumeration requests seeking the ‘readme.txt’ file across millions of sites.
Total requests by date looking for readme.txt files (Source: Wordfence)
Wordfence observes attackers creating admin accounts with random passwords using the exploit, and the threat actors scan for vulnerable sites by accessing the following directory: –
Apart from this, seven IP addresses, including 126.96.36.199, scanning 213,212 sites, have been identified by security researchers in the attacks.
188.8.131.52: 213,212 sites attacked
2a10:cc45:100::5474:5a49:bfd6:2007: 90,157 sites attacked
184.108.40.206: 27,346 sites attacked
220.127.116.11: 14,799 sites attacked
18.104.22.168: 14,619 sites attacked
22.214.171.124: 14,509 sites attacked
126.96.36.199: 13,491 sites attacked
There are thousands of IP addresses distributed in the readme.txt requests. However, only around 5,000 of them conducted actual attacks, making them less valuable to defenders.
To mitigate the risk posed by CVE-2023-28121, it is highly recommended that all WooCommerce Payment plugin users should update their installations immediately. Additionally, the site admins should scan for odd PHP files and suspicious admin accounts.
The post Massive Exploit Against WooCommerce Payments Underway Bug on 600,000 Websites appeared first on Cyber Security News.
Cyber Security News