ACSC Alerts on Widespread CMS Exploitation Deploying Webshells

The Australian Signals Directorate’s Cyber Security Centre (ACSC) has issued a critical alert regarding a large-scale exploitation campaign targeting various content management systems (CMS). This campaign involves the deployment of webshells on vulnerable websites, granting attackers unauthorized remote control over affected servers.

Webshells are malicious scripts that, once installed, allow attackers to execute commands remotely, manipulate files, and access sensitive data. In this campaign, threat actors are exploiting known vulnerabilities across multiple CMS platforms and plugins to install these webshells. The vulnerabilities being targeted include unauthenticated file uploads, remote code execution, server-side request forgery, and unsafe deserialization. Notably, many of these vulnerabilities have existing patches, highlighting the importance of timely software updates.

Scope of the Exploitation

The exploitation campaign is extensive, affecting a wide range of CMS platforms and plugins. Among the targeted WordPress plugins are Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, and GutenKit or Hunk Companion. Additionally, standalone platforms such as Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE have been compromised. Attackers are scanning the internet for websites running vulnerable versions of these platforms and plugins, deploying webshells upon successful exploitation.

Recommended Actions

ACSC advises website owners to take immediate action to mitigate the risks associated with this campaign. Key recommendations include:

  • Inspect CMS directories for unusual or unauthorized files that may indicate the presence of a webshell.
  • Review web access logs for suspicious requests targeting known webshell paths or attempting to exploit known vulnerabilities.
  • Ensure all CMS platforms, plugins, and associated software are updated to the latest versions to patch known vulnerabilities.
  • Implement robust security measures, such as web application firewalls, to detect and block malicious activities.
  • Regularly back up website data to facilitate recovery in the event of a compromise.

In cases where a webshell is detected, it is crucial to treat the server as fully compromised. Immediate steps should include isolating the affected server, conducting a thorough audit of authentication and network configurations, and restoring the system from a clean backup.

This campaign underscores the evolving nature of cyber threats and the necessity for organizations to maintain vigilant security practices. The rapid exploitation of known vulnerabilities emphasizes the importance of prompt patching and continuous monitoring to protect digital assets from unauthorized access and potential damage.