WordFence, a WordPress security platform, stated that they have blocked 13.7 million attacks against WordPress sites in the span of 36 hours. The number of attacks reflects a dramatic increase in activity from threat actors, originating from 16,000 different IP addresses.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Based on the data collected by WordFence, threat actors are targeting 4 separate plugins with Unauthenticated Arbitrary Options Update vulnerabilities, some of which were patched in late 2018. These vulnerabilities are being used to gain access to the site’s settings, and in most cases, the attackers are updating an option that allows attackers to register on any site as an administrator.
WordPress suspects that this surge in activity is in response to a recently released patch for a vulnerability in PublishPress Capabilities which may have increased interest in targeting Arbitrary Options Updates vulnerabilities as a whole.
WHY IS IT NOTEWORTHY?
WordPress is a commonly used platform for websites widely used by enterprises and SMBs alike. This combination of unpatched vulnerabilities, large attack surfaces, and an increase in the volume of attacks means that many organizations were likely targeted and could have been compromised.
WHAT IS THE EXPOSURE OR RISK?
Because the patch was only recently released, some organizations may not have updated their WordPress installations to protect themselves from the PublishPress vulnerability. This may mean a large number of organizations are still vulnerable. The attackers most commonly use these vulnerabilities to gain privileged access to the sites by adding themselves as admins. This kind of access can later be used to gather information on a targeted organization, perform future attacks against an enterprise, or the access can be sold on the dark web to additional attackers.
WHAT ARE THE RECOMMENDATIONS?
WordPress has stated that organizations utilizing WordFence Premium are already protected against the exploit attempts that threat actors are targeting, and anyone using the free version of WordFence are also protected against them, except for the recently patched PublishPress vulnerability. Those users will receive the firewall rule on January 6th, 2022.
Barracuda MSP strongly recommends updating any affected plugins documented in the links below if your organization uses them. We also recommend the following:
- Reviewing user accounts to ensure all accounts are authorized.
- Checking the “Membership” setting to ensure it is correctly set for your site
- Validating the “New User Default Role” to ensure it is correctly set, preferably not using “Administrator” as that default role.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.