WP3.XYZ Malware attacks Add Rogue Admins to 5,000+ WordPress Sites.
Webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector.
https://cside.dev/blog/over-5k-wordpress-sites-caught-in-wp3xyz-malware-attack
#wordpress #malicious #plugin #it #security #privacy #engineer #media #tech #news![[ImageSource: c/side]
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code. The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
[⚠️Blocking the Attacks⚠️]
c/side recommends that website owners block the ‘wp3[.]xyz’ domain using firewalls and security tools. Moreover, admins should review other privileged accounts and the list of installed plugins, to identify unauthorized activity and remove them as soon as possible.
Finally, it is recommended that CSRF protections on WordPress sites be strengthened via unique token generation, server-side validation and periodic regeneration. Tokens should have a short expiration time to limit their validity period.
Implementing multi-factor authentication also adds protection to accounts with credentials that have already been compromised.](https://friendica-leipzig.de/photo/preview/600/489521 "[ImageSource: c/side]
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code. The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
[⚠️Blocking the Attacks⚠️]
c/side recommends that website owners block the ‘wp3[.]xyz’ domain using firewalls and security tools. Moreover, admins should review other privileged accounts and the list of installed plugins, to identify unauthorized activity and remove them as soon as possible.
Finally, it is recommended that CSRF protections on WordPress sites be strengthened via unique token generation, server-side validation and periodic regeneration. Tokens should have a short expiration time to limit their validity period.
Implementing multi-factor authentication also adds protection to accounts with credentials that have already been compromised.")
Webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector.
https://cside.dev/blog/over-5k-wordpress-sites-caught-in-wp3xyz-malware-attack
#wordpress #malicious #plugin #it #security #privacy #engineer #media #tech #news
![[ImageSource: c/side]
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code. The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
[⚠️Blocking the Attacks⚠️]
c/side recommends that website owners block the ‘wp3[.]xyz’ domain using firewalls and security tools. Moreover, admins should review other privileged accounts and the list of installed plugins, to identify unauthorized activity and remove them as soon as possible.
Finally, it is recommended that CSRF protections on WordPress sites be strengthened via unique token generation, server-side validation and periodic regeneration. Tokens should have a short expiration time to limit their validity period.
Implementing multi-factor authentication also adds protection to accounts with credentials that have already been compromised.](https://nerdculture.de/system/media_attachments/files/113/883/249/146/798/681/original/62e28c105c3812a5.png "[ImageSource: c/side]
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code. The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
[⚠️Blocking the Attacks⚠️]
c/side recommends that website owners block the ‘wp3[.]xyz’ domain using firewalls and security tools. Moreover, admins should review other privileged accounts and the list of installed plugins, to identify unauthorized activity and remove them as soon as possible.
Finally, it is recommended that CSRF protections on WordPress sites be strengthened via unique token generation, server-side validation and periodic regeneration. Tokens should have a short expiration time to limit their validity period.
Implementing multi-factor authentication also adds protection to accounts with credentials that have already been compromised.")
Over 5,000 WordPress sites caught in WP3[.]XYZ malware attack
We’ve uncovered a widespread malware campaign targeting WordPress websites, affecting over 5,000 sites globally. The malicious domain: "https://wp3.xyz/plugin[.]php".c/side
