Ethical Hacking News
Over 6,000 WordPress sites have been compromised by malicious plugins that push information-stealing malware. The ClickFix campaign highlights the ongoing threat posed by this type of attack and underscores the importance of vigilance and awareness among website administrators and users alike.
Over 6,000 WordPress sites have been compromised with malicious plugins that push information-stealing malware. The malicious campaign, dubbed "ClickFix", uses fake browser update banners to deceive users into installing malware. The threat actors use stolen admin credentials to log in and install the malicious plugins with relative ease. Malicious plugins designed to mimic legitimate ones can be installed without site administrators' knowledge or consent. Website administrators should remove unknown plugins, reset admin passwords, and monitor their sites for suspicious activity.
In a disturbing trend that highlights the ever-evolving nature of cyber threats, over 6,000 WordPress sites have been compromised and infected with malicious plugins that push information-stealing malware. This latest development underscores the importance of regular security updates, vigilance, and awareness among website administrators and users alike.
The malicious campaign, which has been dubbed "ClickFix" by cybersecurity experts, utilizes fake browser update banners to deceive end-users into installing information-stealing malware. The threat actors have compromised a significant number of WordPress sites, often using stolen admin credentials to log in and install the malicious plugins. This approach allows them to execute the attacks with relative ease, as the plugins appear to be legitimate and are installed without the knowledge or consent of the site administrators.
The ClickFix campaign is reminiscent of another malware campaign known as ClearFake, which has been active since 2023. While both campaigns share similarities in their tactics, technique, and procedures (TTPs), the ClickFix variant uses a different approach to deceive users into installing the malicious plugins. In the case of ClearFake, fake browser update banners were displayed on compromised websites, while in the ClickFix campaign, the threat actors use fake error messages with included fixes that download and install information-stealing malware.
The malicious plugins themselves are designed to be convincing and appear harmless to website administrators. However, they contain embedded scripts that deliver fake browser update prompts to end-users, luring them into installing additional software that exposes their devices to further attacks. The list of malicious plugins seen in this campaign includes names such as LiteSpeed Cache Classic, Custom CSS Injector, MonsterInsights Classic, and Wordfence Security Classic, which are designed to mimic legitimate plugins.
To understand the extent of the issue, it is essential to examine the behavior of the threat actors involved. According to GoDaddy security researcher Denis Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner. This approach allows them to carry out the attacks with relative ease, as they do not need to visit the site's login page before executing the malicious code.
The use of brute force attacks, phishing, and information-stealing malware are likely sources of the stolen credentials used by the threat actors. However, it is essential for website administrators to remain vigilant and take immediate action if their sites are compromised.
To protect themselves from these types of attacks, WordPress site administrators should examine the list of installed plugins on their sites and remove any that they did not install themselves. Furthermore, they should immediately reset the passwords for any admin users to a unique password only used at their site.
In conclusion, the ClickFix campaign highlights the ongoing threat posed by information-stealing malware and the importance of regular security updates, awareness, and vigilance among website administrators and users alike. By understanding the tactics, technique, and procedures employed by these threats, individuals can take steps to protect themselves and prevent further attacks on their websites.
Related Information:
https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/
Published: Mon Oct 21 15:38:53 2024 by llama3.2 3B Q4_K_M
