WordPress SMTP plugin Zero – day used by two hacker groups
Two cyber security companies offer firewall plugins for WordPress sites in a popular WordPress plugin have detected attacks that abuse a zero-day vulnerability.
There have been at least two groups of hackers that abuse the zero day to change site settings, create rogue admin accounts as backdoors, and then deceive hacked site traffic. The zero days abused by these two groups are in “Easy WP SMTP,” a WordPress plugin that has over 300,000 active installations.
Plugin Zero-Day exploited
The main feature of the plugin is to allow website owners to configure SMTP settings for outgoing emails from their site servers. Attacks that abused the zero-day were first detected by NinTechNet, the company behind the Ninja WordPress firewall last Friday, March 15.
The issue was reported to the plugin author, who patched the zero-day with v22.214.171.124 release on Sunday, March 17. Attacks did not stop, however, but continued throughout the week, with hackers trying to take over as many sites as possible before the patch was applied by the site owners.
Defiant, the cybersecurity company that manages WordFence WordPress firewall, said it still detects attacks even after patching. The company broke down the operation of the two hackers in a report published earlier today. Defiant says the attacks used an Export / Import settings feature added to version 1.3.9 of the
Easy WP SMTP plug-in
Defiant said hackers found that this new import / export feature allows you to modify a website’s overall settings, not just those related to the plugin. Hackers are currently scanning sites using this plugin and then modifying settings to allow user login, an operation that has been deactivated by many WordPress site owners for security reasons.
Hackers modified the “wp user roles” option during initial NinTechNet attacks, which monitors the “Subscriber” role permissions on WordPress sites, giving a subscriber the same administrative account capabilities.
This means that hackers would register new accounts that appeared as subscribers in the WordPress database but had the permissions and capabilities of an admin account. Hackers switched their operandi mode to the following Defiant detected attacks and started modifying the “default role” setting instead of “wp user roles.” This setting controls the account type of newly registered users. In this new attack, all newly created accounts are admin accounts.
According to Defiant, this last routine of attack is now the one used by the two hacker groups. “Both the campaigns launch their initial attacks identically, using the concept proof (PoC) exploit detailed in the original vulnerability disclosure of NinTechNet, which exactly matches PoC, down to the checksum,” said Security Researcher Mikey Veenstra, Defiant. But the similarities between the two groups end here.
Defiant said the first group of two stops after a backdoor admin account has been set up on hacked sites, and the second group is more aggressive. Veenstra said this second group changes hacked websites to redirect visitors to malicious sites.
The most common topic is tech support sites. All sites using the Easy WP SMTP plugin should update to the latest version 126.96.36.199. Both NinTechNet and Defiant are advising to audit the user section of a website for newly added accounts on both subscriber level and admin level. It is recommended to update the latest plugin version, as the White Fir Design WordPress security firm, which also published a report on these assaults, has documented other security defects of the same plugin that could be abused[1, 2].
In all this, a black ball goes to the moderator team of the WordPress forum, who seem to worry more about forum users using the term “zero-day” to describe this vulnerability and ongoing attacks.
WordPress forum moderation team has a long history of censoring and downplaying security issues and attacks, leaving users of some plugins in the dark about unparalleled vulnerabilities and ongoing attacks.
A report published this year by the cyber security company Sucuri found that 90% of all hacked content management systems (CMS) are WordPress sites.