cybercriminals

Soaked in exploits: WordPress under attack again

A third-party plugin for WordPress CMS – RevSlider – made vulnerable up to 100K WordPress-based sites, with more than 10K blocked by Google for re-distributing malware they fell victims prior

Yuri Ilyin
December 30, 2014

A third-party plugin for WordPress CMS – RevSlider – made vulnerable up to 100K WordPress-based sites, with more than 10K blocked by Google for re-distributing malware they fell victims prior to that. The SoakSoak campaign is targeting WordPress users running Internet Explorer on Windows and that it’s pushing multiple exploit kits to the browser.

That’s bad news for the WordPress users, although this particularly popular content management system has a history of being targeted by malicious campaigns. Last year such sites were infected by an aggressive spambot and hit with bruteforce attacks on admin consoles, in an apparent attempt to beat the credentials out of them.

WordPress is free to use, and highly customizable due to a plethora of third-party plugins available. This makes this CMS very popular for both personal and business needs.

Not all of those plugins are safe, however. This time attackers hit a slideshow plugin “Slider Revolution” aka RevSlider. It is “passively popular” as it comes bundled with many WordPress themes. Lots of users don’t even know they have this plugin, which explains why so many sites are still unpatched.

The vulnerability that could allow an attacker to download any file, including database credentials, from the affected site’s server was discovered back in September in version 4.1.4. The problem is fixed in version 4.2, but users who had the slider installed as part of a bundled theme never received it, since the plugin’s automatic update mechanism is usually disabled when it comes as part of a theme. This is due to the relative instability of the plugin.

It is strongly recommended that the IT workers check out their WordPress installations for the presence of RevSlide plugin with versions older than 4.1.4, and update it, if necessary.

Blocking may be very problematic for the companies those heavily rely on their websites for doing business. Compromising and blocking may occur “out of the blue” while getting the site back in the ranking takes a long time, even if repairs are made promptly.

The site the campaign was pulling malware from – a Russian domain – is currently offline, which is a good news.

Shellshock NAStiness: a worm is backdooring storage devices using Bash flaw

Shellshock bug proved to be “wormable”, and is exploiting the vulnerable network attached devices (by QNAP at least), scanning for more potential victims. While it is not exactly a Christmas

Privacy & Kids

Soaked in exploits: WordPress under attack again

Lottery scams for the digital age

Steam stealers: your account is their target

Shellshock NAStiness: a worm is backdooring storage devices using Bash flaw

Tips

Advertisers sharing data about you with… intelligence agencies

Residential proxies: understanding the risks for organizations

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Sign up to receive our headlines in your inbox

Home Solutions

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia