In a mass-level attack, attackers have targeted a large number of WordPress websites. All the sites based on WordPress 4.7.1 or below are claimed to be vulnerable through a hidden REST API loophole.
The WordPress team silently patched a critical content injection vulnerability in its version 4.7.2 release that was debuted on January 26. However, due to least awareness of the fix, attackers have capitalised on sites that are not yet updated to the latest version.
According a report by cybersecurity firm Securi, there are four active campaigns by attackers targeting sites that are still not patched with the update. These campaigns leverage one of the REST endpoints on dated WordPress installation to view, edit, delete and create posts using the API.
Most of the anonymous attackers have already started their activities leading to website defacements. Sucuri reports that same IP addresses and defacers are hitting their network and plotted honeypots. One of the largest campaigns through the vulnerability has already compromised more than 66,000 WordPress pages.
Sucuri has identified this group as w4l3XzY3, Cyb3r-Shia, By+NeT.Defacer, and By+Hawleri_hacker. The four IP addresses used by the largest group are 176[.]9[.]36[.]102, 185[.]116[.]213[.]71, 134[.]213[.]54[.]163 and 2a00[:]1a48[:]7808[:]104[:]9b57[:]dda6[:]eb3c[:]61e1.
“The defacement campaigns are going strong and increasing by the day, but we believe that it will slow down in the next few days. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward,” says Daniel B. Cid, founder and CTO of Sucuri, in a blog post.
An official statement from the WordPress maintainers highlights that the delay in the disclosure by WordPress was purposefully done to give sites a window to patch the update. Although WordPress has a default feature to update the site automatically, some users choose to disable this feature.
Website administrators using older WordPress versions are recommended to patch the update immediately to prevent any damage. If your site is among the compromised ones, you should remove the dummy post or page and then apply enhancements such as two-factor authentication and basic authentication using relevant plugins.