WordPress, Joomla Subject to Widespread Injection Attack

hosting-wordpressHackers are using the popular jQuery library to inject malicious code into websites powered by WordPress and Joomla. It’s a fairly widespread issue: Since November 2015, Avast has registered more than 4.5 million users who encountered the infection.

Malicious code was found in almost 70 million unique files on hacked websites.

According to Avast researcher Alexej Savcin fake jQuery injections have been very popular among hackers, because jQuery itself is popular.

“JQuery is a very popular JavaScript library,” he explained in a blog. “The basic aim of this library is to erase the differences between implementations of JavaScript in various web browsers. If you have ever tried web coding, you know how tedious it can be to make the code do the same thing in different browsers. Sometimes it is a really big challenge. In such situations, this library can be very useful.” Continue reading


Mysterious spike in WordPress hacks silently delivers ransomware to visitors

It’s still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users.

In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. The attack sites host code from the Nuclear exploit kit that’s available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

“WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit.” Continue reading

Ransomware risk from over 140 million websites, researcher warns

Around 142 million legitimate websites could be serving up ransomware to their unwitting users due to out-of-date software, according to a new study.

The research carried out by IT security firm Heimdal Security found that hackers were using the Neutrino Exploit Kit to inject malicious scripts into outdated webserver software that could potentially reach 400 million users.

According to a blog post by Andra Zaharia at Heimdal Security, the attack is mainly directed at websites running out of date versions of the WordPress content management system or outdated plugins.

She said that out of the one billion websites in the world, 58.7 percent of them run WordPress and over 20 percent of these installations run an outdated version, meaning around 142 million such websites could be vulnerable to ransomware attacks.

“Even websites that run the latest version of WordPress could be vulnerable to this attack if they run outdated plugins and lack in proper security settings,” she said.

She added that the attack is not limited to WordPress websites so the figure could potentially be much more than this.

Zaharia said the exploit worked by injecting a malicious script on the target website that references a halfway house on an attacker’s domain. This domain redirects traffic towards the commercial exploit kit Neutrino, which then tries to force feed the victim’s system with a Teslacrypt variant, a ransomware Trojan.

“Neutrino will exploit writing condition vulnerabilities in Adobe Flash Player, Internet Explorer and Adobe Reader / Acrobat. All the mentioned vulnerabilities are recent and have a low antivirus detection rate because of the multilayer obfuscation system that Neutrino exploit kit uses,” said Zaharia.

“Website administrators, bloggers and everyone who uses a CMS should once again understand that patching and installing the latest updates is key to ensuring basic cyber-security for any type of website and platform, and that security provisions are not only essential for themselves, but for their readers as well,” added Zaharia.

Outdated content management systems provide an easy way for scammers to use websites as launch pads for malware attacks, and too many businesses are unaware of the risk posed by not updating all aspects of WordPress.

From the CMS to plugins, something tends to slip through the cracks and isn’t noticed until it’s too late. Additional wrinkles are caused by small silos being responsible for their own little slice of digital real estate and not communicating with others. As a result, WordPress may be up to date but an old, vulnerable plugin may be lying in wait to cause havoc.

A solid procedure needs to be mapped out between IT and those responsible for the day-to-day interactions with the site itself to ensure everything is running as planned. “If your network is compromised by ransomware and you haven’t invested in a solid backup plan, there could be severe consequences.”

Martin Lee, intelligence manager at Alert Logic says that end users need to be aware of the possibility that any website that they visit, no matter how reputable or related to their work, may still serve malware. “Patching combined with running up-to-date antivirus software provides a lot of protection. Placing a web content filter between users and potentially compromised web sites provides an extra layer of security,” he said.

“Essentially, patching remains an issue for the IT industry. If a system isn’t patched then it’s vulnerable to attackers. The attackers know this and have refined the crime model of exploiting unpatched software in web servers to install exploit kits that exploit unpatched software in visitors.”

Mark James, security specialist at ESET told SC that website CMSs don’t update this software for a few reasons.

“Quite often it’s one of two reasons, either not knowing there’s an update available for the software they are using or just not getting around to it. Checking the installed version numbers against any available updated versions at worst will be a physical check within the application itself or at best an automated check or clickable option within the software itself, either way it must be done on a regular basis,” he said.

He added that patching both applications and operating systems should be run on a weekly basis without fail. “You cannot supply data or services to the public without keeping an eye on the means to offer those services.”

“I appreciate we can’t protect against all vulnerabilities and exploits 100 percent of the time but there’s so many that can be protected just by updating your software. There is no excuse for why it’s not being done, it’s not rocket science and it should not cost you any money to at least check,” he said.

Also on this issue, Steve Nice, Node4’s chief technologist, said that organisations can protect themselves by having a device which filters internet traffic before it reaches the internal network.  “These devices could be called firewalls, proxies, web filters, IDS or UTMs.  They must be updated daily, if not hourly, and will be able to detect and block malicious scripts,” Nice said.