WordPress Targeted with Mass Ransomware Campaign

hosting-wordpressA massive malware campaign has been found targeting WordPress websites.

The sites were compromised via obfuscated Javascript code, and they all redirect users to a domain hosting the Nuclear exploit kit, which is available commercially via the exploit kits-as-a-service model. The EK then scans for vulnerabilities in Flash, Adobe Reader or Acrobat, Internet Explorer and Silverlight; and, if a flaw is found, the infection delivers TeslaCrypt; what’s more, this Teslacrypt variant is identical to the other ransomware strains, so Cryptowall or other ransomware types could also infect the victim’s PC.

According to Andra Zaharia, marketing communications manager at Heimdal Security, hundreds of servers hosting WordPress-based websites have already been compromised. Further, antivirus detection of exploit code is low: only 2/66 on VirusTotal. Meanwhile, the payload also achieves only limited detection.

“Cyber criminals know that moving fast is key for maintaining their anonymity,” she said, ina blog. “So please note that the campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use.”

Heimdal has already blocked more than 85 domains that are being actively used in this campaign.

“These details make this particular malware campaign a massive one, and the trend is likely to continue,” Zaharia said. “With fileless malware infections and commercially-available exploit kit, the cybercrime scene is getting more complicated by the day.”

WordPress is a fairly common target for cyber-attackers, given how widely used it is for content management for websites.

Website owners that use WordPress can secure their servers and users by keeping their software and their operating system updated at all times; backing up data, often and in multiple locations; and using a security tool that can filter web traffic and protect against ransomware, which traditional antivirus cannot detect or block.

SOURCE: Tara Seals | Infosecurity Magazine

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s