未加星标

WordPress REST API Vulnerability Abused in Defacement Campaigns

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二04 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

WordPress 4.7.2 was released two weeks ago, including a fix for a severe vulnerability in the WordPress REST API . We have been monitoring ourWAF network and honeypots closely to see how and when the attackers would try to exploit this issue the wild.

In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.

Patches are Not Being Applied

WordPress has an auto-update feature enabled by default and an easy 1-click manual update process, but unfortunately, not everyone is aware of this issue or able to update their site. This is leading to a large number of sites being compromised and defaced.

We are currently tracking 4 different hacking (defacement) groups doing mass scans and exploits attempts across the internet. We see the same IP addresses and defacers hitting almost every one of our honeypots and network.

If google is correct, these defacers seem to be succeeding.

Campaign #1

Just for one defacer, which we call Campaign #1 , Google alone shows 66,000+ pages compromised:


WordPress REST API Vulnerability Abused in Defacement Campaigns

They started the exploits less than 48 hours ago. We assume Google hasn’t had time to reindex all compromised pages. We anticipate that the number on Google’s SERP will continue to increase as the re-indexing scans continue.

IP Addresses being used:

176.9.36.102 185.116.213.71 134.213.54.163 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1 Defacer[s] group behind it: byw4l3XzY3 .

We recommend blocking these IP addresses or investigating their activity via your logs. Specially if you didn’t update in time.

Campaign #2

The second campaign is not as successful, and Google only shows 500+ pages compromised. This campaign started just a few hours ago, so probably not enough time for Google to index the pages.

IP Address:

37.237.192.22 Defacer[s] group behind it: Cyb3r-Shia . Campaign #3 and #4

This campaign is a bit unique, where 2 different defacers are sharing the same IP address. Each defacer has compromised over 500 pages according to Google.

IP Address:

144.217.81.160 Defacer[s] group behind it: By+NeT.Defacer& By+Hawleri_hacker

We don’t like naming defacers as they do it for publicity, but we are sharing their names so we can track their growth better and compare with other security companies. If you have been hacked by any of these, or you see their names showing up on any of your blog posts, they likely used this vulnerability to compromise the site.

Spam SEO will be a Problem

The defacement campaigns are going strong and increasing by the day, but we believe that it will slow down in the next few days. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There is already a few exploit attempts that try to add a spam images and content to a post, and due to the monetization possibilities, that will likely be the #1 route to abuse this vulnerability.

This is the currently exploitation attempts against our WAF Network for the last 5 days:


WordPress REST API Vulnerability Abused in Defacement Campaigns

This vulnerability is very recent and lot may change in the next few days. We will keep sharing updates as this issue progress.

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

主题: RESTSEOWordERP
分页:12
转载请注明
本文标题:WordPress REST API Vulnerability Abused in Defacement Campaigns
本站链接:http://www.codesec.net/view/532136.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(25)