- Researchers discover 10,000 compromised WordPress sites
- The sites were embedded with malicious JavaScript code
- The goal was to deliver infostealers to victims
Ten thousand WordPress websites were being used to deliver infostealing malware to victims running both Windows and macOS devices, experts have warned.
A report from cybersecurity researchers at c/side claims a threat actor likely compromised different WordPress sites using an older version of the platform (6.7.1) and with it – an older, outdated plugin. Once the sites are breached, the attackers would deploy malicious JavaScript code, which would generate a fake page in an iframe, to the visitors.
When a victim visits one of these sites, they would see an overlaid page stating they need to update their browser if they want to view the contents of the page. However, instead of downloading a patch, the victims would get either Atomic (AKA AMOS, a popular infostealer for macOS), or SocGholish (basically the same thing, just for Windows).
Stealing sensitive files
These infostealers would grab all sorts of sensitive information from the target endpoint – from passwords stored in the browser, to session cookies, cryptocurrency wallet information, and other potentially sensitive files.
Defending against these attacks requires web administrators to keep their sites up to date.
The WordPress website builder platform, for starters, should be upgraded to version 6.7, released in mid-November, 2024. The admins should then go through all the themes and plugins they have installed, and remove all the ones they’re not using. The remaining ones should then be updated, as well.
Finally, admins should look for malicious scripts and delete them. C/side claims that attackers leave a backdoor most of the time, to be able to easily return, if need be. If they do find traces of compromise, they should also review logs from the last 90 days to identify what kind of malicious activity was done.
Leave a comment