Last week we reported that in the File Manager plugin was found dangerous vulnerability for WordPress, which allows uploading malicious files to vulnerable sites.
File Manager plugin is used by more than 700,000 resources, and although the vulnerability has already been fixed, a few days ago more than half of the sites were still considered vulnerable.Attacks on this vulnerability began almost immediately: cybercriminals uploaded web shells to websites that allowed them to take control of the resource and use it for their own purposes. The researchers wrote that cybercriminals are trying to inject various files into websites. In some cases, these files were empty (obviously, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php, and x.php, and after September 3, 2020, arrived files Feoidasf4e0_index.php.
Now, the experts at Defiant, behind the development of Wordfence, have warned that attacks on the vulnerability have skyrocketed in the past few days.
The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin. This plugin is installed on over 700,000 WordPress websites, and we estimate that 37.4% or 261,800 websites are still running vulnerable versions of this plugin at the time of this publication”, — write researchers.
So, just last Friday, on September 4, 2020, experts recorded attacks on more than a million sites. In total, over 1.7 million resources were attacked over the past week, and their number is still growing.
According to experts, since September 3, 2020, each of the following IP addresses has attacked at least 100,000 sites:
- 188.165.217[.]134;
- 192.95.30[.]59;
- 192.95.30[.]137;
- 198.27.81[.]188;
- 46.105.100[.]82;
- 91.121.183[.]9;
- 185.81.157[.]132;
- 185.222.57[.]183;
- 185.81.157[.]236;
- 185.81.157[.]112;
- 94.23.210[.]200.
The company emphasizes that Wordfence protects more than three million sites, but this is only part of the WordPress ecosystem, that is, the real scale of these attacks should be even greater, because WordPress is installed on tens or even hundreds of millions of sites.
Recommendations from Wordfence:
- If you believe that the functionality of your site requires the continued use of the File Manager plug-in, make sure you update it to version 6.9, which addresses this vulnerability. If the File Manager plugin has an older version, update it as soon as possible.
- If you are not actively using File Manager, uninstall it completely.
