On Wednesday, 2 September, the Imunify360 Web Protection Team detected a significant rise in blocked malware that day. Most of the malware was located in the /wp-file-manager/lib/files/ directory path.
When we investigated, we determined that there was a critical vulnerability in the File Manager plugin for WordPress, and that this vulnerability affected a variety of applications.
As you can see from the chart below, this malware was detected on 0.086% of servers protected by Imunify360. The attack vector has now been neutralized, and there were tons of intrusion attempts rejected by Imunify360. 24% of the hosted domains in total were targeted by the attack.
To prevent servers protected by Imunify360 from being infected, we delivered the new ModSecurity protection rule with ID 77316730, IM360 WAF: WordPress plugin File Manager < 6.9 - Remote Code Execution. The rule was deployed automatically on 3 September. Regardless, we suggest that Imunify users check the current ruleset - it should be v3.33 or later.
The chart below displays the number of events for rule 77316730. At the moment, more than 800,000 incidents have already been recorded and used for analysis.
Other improvements included in this update are described in this blog post: WAF Rules v.3.32 and v.3.33 Released.
We on the Imunify360 Web Protection Team are continuing to watch for new zero-day vulnerabilities, and will publish additional details as soon as we have them.
Please Share Your Feedback
The Imunify360 Web Protection Team would like to hear from you. To share your ideas and observations on vulnerabilities like the one described above, please send them to us at firstname.lastname@example.org.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.