Important Vulnerability on Advanced Custom Fields Plugin for WordPress

We designed a set of messages to report information about security threats that are dangerous for the server. Imunify uses cPanel contact manager to send notifications about those threats. We hope you will find them helpful. This feature can be managed through CLI. 

Dear customers,

We've identified a concern with Yandex bot crawling that may impact your website's visibility. Our investigation shows that, besides legitimate Yandex bots, some traffic from these IP addresses may be malicious.

While we're collaborating with Yandex's support team for a solution, here are some interim measures:

Dear Imunify customers,
We would like to inform you about a recent security incident that may have affected the analytical data collected from your servers by the Imunify product (e.g., attacker IP addresses, captcha events, etc.). Your privacy and information security are our top priorities, and we deeply regret any inconvenience this may cause.

Infection description

Starting on Jun 29, we detected a malicious campaign that uses Crontab in a chained infection flow. A closer look reveals a common pattern attackers use in order to inject a backdoor to a vulnerable host.

It starts from logging in with previously stolen credentials to the cPanel service. After that, the attacker makes an attempt to upload a backdoor directly to the public directory. And the final step is to set up a CronJob task, containing obfuscated malware, scheduled to trigger every at regular intervals.