[dba-Tech] Ransomware Criminals Infect Thousands With Weird WordPress Hack
John R Bartow
jbartow at winhaven.net
Fri Feb 5 23:18:51 CST 2016
An unexpectedly large number of WordPress websites have been mysteriously
compromised and are delivering the TeslaCrypt ransomware to unwitting
end-users. Antivirus is not catching this yet.
In the last few days, malware researchers from Malwarebytes and other
security firms have reported that a massive number of legit WordPress sites
somehow have been compromised and are silently redirecting visitors to sites
with the Nuclear Exploit Kit. It's not yet clear how the WordPress sites
are getting infected, but it is highly likely that there is a new
vulnerability that is being exploited in either WP or a very popular WP
plugin.
"WordPress sites are injected with huge blurbs of rogue code that perform a
silent redirection to domains appearing to be hosting ads," Malwarebytes
Senior Security Researcher Jérôme Segura wrote in a blog post published
Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more
code that sends visitors to the Nuclear Exploit Kit."
The compromised WordPress sites were hacked and included encrypted code at
the end of all legitimate JavaScript files. The malware tries to infect all
accessible .js files. The attack tries to conceal itself and the code
redirects end-users through a series of sites before dropping the ransomware
payload. Once a WP Server is infected, the malware also installs a variety
of backdoors on the machine.
What To Do About It If You Run WordPress:
Patch Server Operating Systems
Patch WordPress
Get rid of as many WP plugins as possible and patch the current ones
Update all your WP instances at the same time to prevent
cross-infections
Lock down all WP instances with a very strong password and the WP
2-factor authentication
More information about the dba-Tech
mailing list