Important Vulnerability on Advanced Custom Fields Plugin for WordPress

Infection description

Starting on Jun 29, we detected a malicious campaign that uses Crontab in a chained infection flow. A closer look reveals a common pattern attackers use in order to inject a backdoor to a vulnerable host.

It starts from logging in with previously stolen credentials to the cPanel service. After that, the attacker makes an attempt to upload a backdoor directly to the public directory. And the final step is to set up a CronJob task, containing obfuscated malware, scheduled to trigger every at regular intervals.

For Linux-based web servers, ModSecurity is an open-source web application firewall (WAF) that protects websites from specific threats. Most threats take advantage of poorly coded web applications either through cross-site scripting (XSS), SQL injection (SQLi), header exploits, session hijacking, and code injection. Web-based exploits are distinctive from network and protocol layer attacks, so they need different technology -- such as a WAF -- to stop them. Most applications have at least one bug, and it could be just one bug that creates a vulnerability. A WAF will help you stop exploits on these vulnerabilities. This articles provides more information about the following topics:

The high severity vulnerability in Post Grid WordPress plugin that appeared in public resources is suspected to be the cause of attackers’ interest to exploit the affected systems.

The discovered vulnerability allows an attacker to forge the template with further inclusion of its code to the application's backend with the ability to perform malicious actions involving privileged users. This could end up with a stolen administrator session or malware injection.

Frequently during an investigation of malicious activity, we face infections that spread through the attack vector that could not be covered by plain WAF rule. For instance, it is possible when

• • a user uploads the “nulled” theme or plugin from an untrusted source which already has malware and could append injection to the application’s core files after installation, or
  • the attacker gains access to the server with a stolen FTP, SSH, cPanel, WHM password. Read our new article with best practices on how to stay on top of cpanel security.

On Wednesday, 2 September, the Imunify360 Web Protection Team detected a significant rise in blocked malware that day. Most of the malware was located in the /wp-file-manager/lib/files/ directory path.

When we investigated, we determined that there was a critical vulnerability in the File Manager plugin for WordPress, and that this vulnerability affected a variety of applications.

Brute force attacks are the most commonly spread type of cyber attack. The goal of the attacker is to gain access to a popular Content Management System (CMS) like WordPress and then use the CMS dashboard’s administrative permissions to perpetrate further infection of the website.

Our monitoring system detected a significant spike in the triggering of WordPress brute force protection rule on July 24. The attack lasted from 2am to 5pm UTC and consisted of approximately 15 million