Keylogger found on thousands of WordPress sites
More than 2 000 WordPress sites have been infected with a malicious script that not only mines the Monero crypto-currency, it contains a keylogger designed to steal users login credentials.
Researchers at Sucuri uncovered the infection, and believe this new campaign is tied to threat actors behind a similar campaign in December last year, that infected more than 5 500 WordPress sites. Each of these incidents employed the malware called cloudflare[.]solutions.
Denis Sinegubko, a senior malware researcher at Sucuri, said: "While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection."
Following the December campaign, the cloudflare[.]solutions domain was taken down, but the cyber criminals behind the initial campaign, have subsequently registered new domains to host the malware. The domains are (cdjs[.]online, cdns[.]ws and msdns[.]online).
According to Sinegubko, the threat actors employ injection scripts on WordPress sites with weak or out of date security. "The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme's functions.php file."
Ilia Kolochenko, CEO of Web security company, High-Tech Bridge, says: "Unfortunately, the vast majority of WordPress installations have been seen as low-hanging fruit for cyber criminals for several years. By default, if properly installed, configured and up to date, WordPress is a very secure system. However, virtually every WP installation today has some third-party plugins, custom code or missing security patches.
Kolochenko adds that hacking teams have a fully automated processes in place to breach and gain backdoor entry to vulnerable WordPress installations. Even more frightening, he says some criminals have begun using simple machine learning algorithms to improve the efficiency and speed for mass compromise.
"Afterwards, they sell the breached Web sites, or stolen credentials for further password reuse attacks."
Many WordPress sites are run by non-technical users and have almost no security measures in place, and he doesn't expect this to improve in the near future. "Nonetheless, compared to many other popular CMSs, WordPress remains a good choice for Web site or blog hosting - its attractiveness for cybercriminals is mainly explained by its omnipresent popularity."