Attackers who are actively exploiting a critical remote code execution flaw affecting over 600,000 of WordPress sites running vulnerable File Manager plugin versions have also been seen protecting the sites they compromise from other threat actors’ attacks.

The critical vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code following successful exploitation [1, 2, 3]. File Manager’s dev team addressed the flaw with the release of File Manager 6.9.

Even though the flaw was patched within hours after the devs were informed by Seravo’s on-call security officer Ville Korhonen who discovered the zero-day flaw and the ongoing attacks trying to exploit it, researchers with WordPress security firm Defiant spotted more than 1.7 million sites being probed by threat actors between September 1st and September 3rd.

In an updated report published today, Defiant threat analyst  Ram Gall says that the threat actors haven’t stopped their siege, with the total number of WordPress sites being targeted going up to 2.6 million.

File Manager’s dev team addressed the actively exploited critical vulnerability with the release of File Manager 6.9

Ongoing Attacks

Multiple threat actors are currently targeting this vulnerability on sites running vulnerable versions of the File Manager plugin according to Defiant, but two of them have had the most success in deploying malware on vulnerable sites.

One of them is bajatax, a Moroccan threat actor previously known for having a penchant for stealing user credentials from PrestaShop e-commerce websites.

Once he manages to compromise a WordPress site as part of the ongoing attacks, bajatax injects malicious code that harvests and exfiltrates user credentials via Telegram on any login attempt, later to be sold to the highest bidder.

The other one injects a backdoor in a randomized folder and into the site’s webroot, both camouflaged as .ico files, to lower the chance that the site admin will find both and cut oof the threat actor’s access to the website.

As Gall explains, the PHP infector used by this second attacker is a variant of an infection previously used to deploy cryptominers and run SEO spam campaigns via compromised sites.

Fighting Over Control

Both of them have been seen by Defiant while trying to block other attackers’ exploit attempts by password protecting the exploitable connector.minimal.php file on sites they’ve infected.

“Our site cleaning team has cleaned a number of sites compromised by this vulnerability, and in many cases, malware from multiple threat actors is present,” Gal explains.

“The aforementioned threat actors have been by far the most successful due to their efforts to lock out other attackers, and are collectively using several thousand IP addresses in their attacks.”

NinTechNet, who also reported the exploit attempts when the attacks started, also discovered the attackers’ attempts to block others from compromising already infected site by password protecting files exposed to writing by the File Manager flaw.

https://csirt.cy/wp-content/uploads/2020/09/Blocking-further-exploitation-1-300x53.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/Blocking-further-exploitation-1-768x135.jpg 768w" alt="" width="812" height="143" class="size-full wp-image-6964 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

Blocking further exploitation (NinTechNet)

In all, Defiant’s researchers saw attacks trying to exploit this vulnerability originating from more than 370,000 separate IP addresses, with almost no overlap in backdoor access activity.

“The single exception is the IP 51.83.216.204, which appears to be a third party opportunistically checking for the presence of both of these backdoors and then attempting to add a backdoor of its own, without much success,” Gal added.

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.