Attacks Targeting a Recently Addressed Vulnerability in the WordPress Plugin


Attacks targeting a vulnerability that has recently been resolved in the WordPress plugin File Manager are ramping up, the Wordfence Threat Intelligence team at WordPress security firm Defiant warns.

With over 700,000 active installations, File Manager is a widely common WordPress plugin that offers file and folder management (copy / paste, remove, download / upload, edit, and archive) functionality for administrators.

In early September 2020, the creator of the plugin discussed a zero-day bug of critical-severity, which was already being actively attacked. The bug, assessed with a CVSS score of 10, can allow attackers to execute code on a vulnerable installation remotely.

The problem is about code taken from the elFinder project, with the developers of the File Manager renaming the connector.minimal.php.dist file of the elFinder library to .php, to make it run directly. But this did open the backdoor to attackers.

Nearly two weeks after the introduction of a vulnerability fix, several threat actors are targeting unpatched systems, researchers at Wordfence reveal.

Four days after the zero-day was patched, attackers were targeting more than 1.7 million domains, but as of September 10 that number rose to 2.6 million.

“We’ve seen evidence of numerous threat actors taking part in these attacks, including small attempts by the threat actor formerly responsible for targeting millions of sites, but two attackers have been the most effective in exploiting vulnerable sites, and at this time both attackers are password protecting insecure copies of the connector.minimal.php file,” Wordfence states.

The attackers most involved is a Moroccan threat actor known as “bajatax,” which modifies the insecure connector.minimal.php file to avoid further attacks. This is the first observed threat actor targeting the vulnerability on scale.

If it succeeds to hack a website, the intruder uses the Telegram messenger ‘s API to add code to exfiltrate user credentials. The code is applied to the user.php core file of WordPress, and if WooCommerce is installed, two more files will be changed to steal passwords from users.

A second adversary targeting the security flaw tries to insert a loophole into compromised websites and, in an effort to avoid other infections, protects the connector.minimal.php file with a password. But the threat actor tends to use a standard password across infections.

The compromised website contains two copies of the backdoor, one in the webroot and the other in a randomised writable archive, presumably in an effort to ensure persistence. The attacker leverages the backdoors to change core WordPress files that would then be misused for monetization purposes, based on the modus operandi previously established by the threat actor.

Wordfence has found malware from several adversaries on many of the compromised websites. Attacks were found targeting the vulnerability originating from more than 370,000 different IP addresses, with almost no correlation between the IPs used by the two most successful attackers.

“As more and more users update or delete the plugin from the File Manager, control of any compromised sites is likely to be divided between these two threat actors,” states Wordfence.

It is recommended that website administrators update the File Manager plugin as soon as possible, but also search their website for potential bugs and delete any malicious code they can discover.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.