Look inside WordPress plugins, fakes used by cyber-criminals to plant backdoors

News by Rene Millman

Security researchers have discovered fake WordPress plugins that act as backdoors for hackers and could be used to carry out DDoS and brute force attacks.

Security researchers have discovered fake WordPress plugins that act as backdoors for hackers and could be used to carry out DDoS and brute force attacks.
According to a blog post by researchers at Securi, the fake plugins have a similar structure along with header comments to the popular backup/restore plugin UpdraftPlus. That plugin is a legitimate piece of software designed to help backup WordPress websites.
Researchers said that hackers have used different names for these fake plugins, including initiatorseo or updrat123.
"The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019," said researchers.
The plugin hides itself from WordPress users who don’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin. The plugin can’t be seen in the dashboard. However, if an attacker adds a specific GET parameter to requests, such as initiationactivity or testingkey, the plugin will report its presence.
The primary purpose of these plugins is to serve as a backdoor, which allows attackers to upload arbitrary files to compromised websites. Researchers said that malicious requests come in the form of POST parameters, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server.
Researchers said that the names of these POST parameters have been unique for each plugin that they have analysed.
"In our experience, hackers have been using this backdoor to upload web shells to seemingly random locations," said researchers.
Randomly named scripts have been uploaded to a website’s root directories to carry out brute force attacks on other sites. Researchers said that while none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough.
"Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface," said researchers.
They added that compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.
Jake Moore, cyber-security specialist at ESET, told SC Media UK that plugins can be an essential way to make your life more streamlined, but like with any application or e-commerce website that is unknown, reviews are there to help the user to separate the wheat from the chaff.
 
"Moreover, it is vital not to reuse passwords online and to make sure they are all complex - even if this becomes a hassle for multiple users who manage the sites. Password managers are no longer an inconvenience and reusing passwords will get you into a lot of troubled waters, not just with this issue. Naturally, patching is also key with all updates, but it is vital that users only download what they entirely need in terms of plugins. Many people can tend to keep plugins running even after a one time use, but it’s always best practice to keep only what is used regularly," he said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that companies should be wary of what plugins they are allowing on their site. 
"While it may be tempting to install a novel plugin, one has to stop and ask whether it fulfils the needs of the business or if it is just a gimmick or nice to have," he said.
 
"They should also audit and gain assurance for plugins and overall website functionality on a regular basis. This can be done with a combination of technical controls including scans, as well as periodically allowing experts to manually check, which can include reviewing logs, or conducting penetration tests."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews