SoakSoak bug hits 100,000 websites using old plugin flaw

WordPress sites have been hit by a malware campaign from a Russian domain using a plugin flaw identified months ago.

SoakSoak bug hits 100,000 websites using old plugin flaw
SoakSoak bug hits 100,000 websites using old plugin flaw

More than 100,000 websites worldwide have been infected with new ‘SoakSoak' malware which is being distributed from a Russian website.

The bug is infiltrating WordPress-based sites using a weakness in the popular WordPress Slider Revolution slideshow plugin that has been known about for months.

The fact that many site admins have not replaced or patched the flawed plugin has sparked debate as to how much they are to blame for the malware spread.

The problem was first identified on Sunday and Monday by security firm Sucuri in two blogs which describe it as a “disaster” for website owners.

On Sunday, Sucuri CEO Tony Perez said the campaign – named after the SoakSoak.ru domain distributing it - was impacting hundreds of thousands of WordPress-run sites.

He said Google had already blacklisted over 11,000 domains that were inadvertently hosting the malware.

On Monday, Sucuri CTO Daniel Cid confirmed over 100,000 WordPress sites had been compromised “and growing by the hour”, while Sucuri told SC Magazine US that the number of blacklisted sites had alreadyclimbed to 15,000.

The scale of infections and blacklistings could grow substantially, as around 70 million websites run on WordPress and any version using RevSlider is vulnerable to SoakSoak.

In his blog, Cid confirmed the attack was coming via the plugin, adding: “We disclosed a serious vulnerability with RevSlider a few months ago. It seems that many webmasters have either not heard of or did not take seriously the vulnerability.

“The biggest issue is that RevSlider is a premium plugin, it's not something everyone can easily upgrade and that in itself becomes a disaster for website owner.

“Some site owners don't even know they have it as it's been packaged and bundled into their themes. We're currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”

Sucuri said that once the malware finds a site using RevSlider, it tries to infect it with the popular Filesman backdoor and a secondary backdoor that redirects the site's visitors to soaksoak.ru.

Sucuri said some site owners have tried to remove the infection by replacing their swfobject.js and template-loader.php files – but warns this is not enough.

Cid said: “This campaign is making use of  several new backdoor payloads, some to inject new administrator users into the WordPress installs, giving them even more control long-term.

“Some users are clearing infections and getting re-infected within minutes. Do not just clean these two files! It removes the infection, but does not address the leftover backdoors and initial entry points.

“If you are affected by this, expect to find yourself riddled with backdoors and infections, you have to not only clean, but also stop all malicious attacks.”

Sucuri said users should use a website firewall to stop the attacks - “ours or someone else's”.

Meanwhile, there are mixed views in the security community as to how culpable webmasters are for the malware spread because they did not patch the RevSlider flaw.

Kevin Epstein, VP of advanced security and governance at Proofpoint, sprang to their defence.

He told SCMagazineUK.com via email that WordPress site attacks are common “and difficult for even experienced administrators to thoroughly clean, as attackers often create layers of access”.

He said: “If the 'obvious' hole is patched, attackers still retain hidden administrative remote access with the ability to create new holes. Sometimes the hole isn't even in the site itself, but in the advertising network serving the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, was more critical.

He told SC: "One major problem when it comes to vulnerabilities on platforms like WordPress, Drupal or other content management systems, is that the sites are often spun up easily and forgotten quickly.

“Identifying that applications like WordPress are present and documenting the associated third-party plugins installed is something that can be easily overlooked by IT staff.

"The need to know your hosts, applications, weak configurations and vulnerabilities are the SANS top-four critical security controls for a reason. If you don't know what you have, how can you appropriately deal with the ever-increasing number of issues being discovered within the code that's used by many every day?"

Michael Sutton, VP of security research at Zscaler, criticised ThemePunch, the makers of Slider Revolution.

He said that in February, they silently patched a critical flaw, only acknowledging this in September when Sucuri highlighted the vulnerability - which by then was being actively exploited.

Sutton said: “ThemePunch claimed the decision to patch silently was made so as not to create ‘fear that an instant public announcement would spark a mass exploitation of the issue'. History has shown us the flaw in this logic. Such decisions benefit the attackers, who in this case already knew about the vulnerability which had been discussed in public forums for months.

“Customers using the plugin were the ones left in the cold as they were less likely to immediately implement a patch without knowing that it included a serious security fix.

“To make matters worse, this is a very popular plugin that has left 100,000-plus websites exposed and is often bundled with other themes - so website owners don't even know that they're exposed."

Kevin Epstein advised: “The defence against such attacks and layered compromises is to engage in similar layering in protection, both on the part of site owners and enterprises whose staff visit such sites.

“Defences should include targeted attack protection (to defend against emailed links pointing to such sites), application layer firewalls (to defend against malicious traffic), and automated incident threat response, to detect and block malware command and control traffic."