By Dr. Samir Kelekar, Senior Consultant, Indusface
Mass infection of nearly 50,000 websites has been reported. A recently patched vulnerability in the popular newsletter plug-in MailPoet for WordPress has been cited as the reason behind the hack. The security flaw is found in MailPoet Newsletters (previously known as wysija-newsletters). It was fixed in version 2.6.7 of the plug-in released on July 1. The unpatched version is permitting hackers to upload random PHP files on the Web server and thereafter take control of the site. A security researcher has stated that the malware has the ability to infect almost any site which exists on the server of a hacked WordPress website. This would mean that more sites can fall victim to this vulnerability and the count can go above 50,000. The security researcher has said that the vulnerability allows attackers to inject anything from malware to spambots on a website.
Are you safe from the attack if you are not running WordPress?
You might think that since you are not running WordPress, you are safe…right? Not so soon! To make things clearer, MailPoet vulnerability is an entry point. It is not mandatory that you will be affected only if you have it enabled on your website…the malware in question can infect any site that is sitting on the server of affected WordPress website.
It has been mentioned that the malware code is also carrying with it some bugs, which is validated by the fact that the malware caused many websites to dysfunction along with ensuring that the good files were overwritten, making it difficult to recover them. As per the hacker news, the malware has caused many websites to fall over and display the message:
Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91.
The vulnerability was reported at the beginning of this month by a security firm. The backdoor installed by the malware is extremely dangerous and works by creating an admin account which further provides the hackers with complete administrative control. It also goes a step further and injects backdoor code into all themes and core files.
What should be your next action?
If you are using WordPress then updating your vulnerability plugins is a very good idea in the present scenario. If you are not using WordPress, then you need to contact your website server provider to ensure that he is not hosting other sites that have WordPress on it, which is having this vulnerability.
In order to protect their WordPress websites from this malware attack, administrators should update the MailPoet plug-in to 2.6.9., which is the latest version.
This attack is another classic case of ignoring a previous vulnerability. Users should not disregard the importance of updating apps to patched versions, as soon as they are available. Once a vulnerability is publicly disclosed, the hackers try their best to use it to their benefit and exploit it as much as they can. It is therefore imperative for the appropriate patch to be applied on a priority basis.
Anyone who owns a website and is serious about the security that they provide to their customers, irrespective of whether they allow financial transactions are not, should invest in a robust application security testing solution, which scans their apps for such malware and vulnerabilities. This is the best way of keeping yourself a step ahead of hackers and maintain a strong security posture.
In the above case, a patch is available, else it is critical that such vulnerabilities are blocked using a signature. Web Application Firewalls give custom signatures for the platform that you support such as WordPress. In case of a managed WAF, customized rules can be set, unique to each application. As per the need, security experts can provide expert tuning and rule configuration updates.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.