Towards the end of last year, thousands of WordPress sites were discovered to be infected with a nasty bit of malware that included a keylogger and cryptocurrency miner. The malware relied on a server located at the fake cloudflare.solutions domain, which was quickly taken down, stopping it from sending data to the people behind the attack.
But, it appears the same malware is back, infecting WordPress sites and communicating its payload via various new domains. It should be understood that the domains the malware is using have nothing to do with the real Cloudflare. Since the proliferation of top-level domains over the last few years, it’s straightforward for an attacker to register a domain similar to the existing domain of a prominent company. On a cursory glance, an inexperienced site owner is likely to overlook code using domains that they associate with a legitimate business whose services they may use.
At the time of writing, it appears that several thousand WordPress sites have been infected, so, if you use our Virtual Private Server or Dedicated Server hosting platform to host a WordPress site, it’s worth taking a moment to make sure that it isn’t infected.
The malware has two roles: firstly, it logs keystrokes entered into form fields on a WordPress site and, secondly, it loads cryptomining code in the browsers of site visitors.
The keylogger is dangerous, particularly on WordPress sites that ask users to enter identifying or otherwise sensitive data. Ordinarily, that type of data is encrypted as it travels over the web so that an eavesdropper can’t intercept it. But, in this case, the malicious code is part of the site itself and can access the data directly.
The cryptomining scripts can cause problems for site visitors. Cryptocurrencies are created by a process called mining, which is essentially running lots of hard math on a computer’s CPU or GPU. Once enough processing work is done, the miner gets a coin.
Because lots of computer power is needed to generate even a small number of coins, one solution is to distribute the work among lots of low-power computers, which is exactly what the cryptomining malware does. The attacker gains cryptocurrency without having to invest in expensive hardware to do the work. Cryptomining malware consumes resources, including power, which is not something any site owner should inflict on their users, especially those using mobile devices.
It’s not clear how the malware infects WordPress sites in the first place, but the usual suspects are probably to blame: outdated WordPress sites with known vulnerabilities that haven’t been patched. Keep your WordPress sites up-to-date, folks!
If your site is infected, the most certain and effective way to remove malware is to reinstall WordPress and restore files and the database from a recent backup you’re sure in uninfected. If that’s not an option for you, Sucuri has an excellent guide to removing malware from a hacked WordPress site.
Earlier this month, it was reported that over 4,200 government and commercial sites in the US and UK were infected with cryptomining malware. The sites hadn’t been compromised by attacks on their servers or content management systems. Instead, Browsealoud, a utility used by all affected sites was targeted. Browsealoud is an accessibility tool that gives websites the ability to read content out loud.
At the time of writing, it isn’t clear how the malicious code found its way into Browsealoud, but once it was injected, every visitor to sites that used Browsealoud — it is to be found on many government and corporate sites — downloaded and executed the code.
In this case, the malicious code loaded Coinhive’s Monero miner, which uses the resources of site visitors’ machines to mine for the Monero cryptocurrency. Mining cryptocurrency at scale usually requires a large investment in high-power hardware. An alternative to buying expensive mining machines is to distribute the work among thousands of lower-powered machines, which is exactly what the Browsealoud attackers hoped to achieve.
Having your computer’s resources wasted to fill an attacker’s Monero wallet isn’t good, but the malware payload could have been much worse. The same technique can be used to inject malvertising, keyloggers, spyware, botnet software, and anything else the attackers deem useful.
Today’s web wouldn’t function without code from third-parties. The vast majority of the sites you visit pull in code from content distribution networks, analytics platforms, and a multitude of other sources. Popular projects like Browsealoud are prime targets for online criminals: compromise one project and you gain access to thousands or millions of users.
Unfortunately, it’s next to impossible for site owners to thoroughly vet every line of code their sites rely on. However, there are security precautions that will reduce the chance of a successful supply-chain attack. Subresource Integrity (SRI) is a security feature built into browsers that sites can use to check the authenticity of code they load from third-party sources.
To use SRI, site owners provide a cryptographic hash of the file to be fetched by the browser. The browser generates a hash of the fetched file and compares it to the hash provided by the site; if the hashes match, the content can’t have been tampered with. None of the sites affected by the Browsealoud attack used SRI.
We’re officially well into 2018! All of our resolutions and strategies are set in action and it’s time to check in to see how you’re doing so far. From Burger King explaining Net Neutrality to the Linux, Meltdown and Spectre battle, this month has been interesting thus far. If you’re looking for some inspiration or just good content, check out our first 2018 round up! If you enjoy this collection of the web’s top articles, feel free to follow us over on Facebook, Twitter, and Google+ for the same great content the rest of the year.
The Captcha plugin, which is owned by developer “simplywordpress” is infected with a backdoor that gives administrator access to the plugin’s current owner. Over 300,000 WordPress sites have installed the Captcha plugin, which can no longer be installed from the WordPress Plugin Repository. We recommend that WordPress site owners who have installed this plugin remove it immediately.
If you’re planning to get into PHP web development, you can save yourself a lot of time (not to mention more than a few headaches) by working with a development framework. Designed to reduce development overhead and dial down complexity in the development process, a framework includes a series of tools, pre-built components, and code samples that you can use to eliminate a lot of the redundant legwork when it comes to web development.
“Today, a single person can perpetrate a multi-million dollar cybercrime with impunity. Activists, hacktivists, nation states, organized crime and rogue individuals are making careers as cyber thieves.”
When I talk to business owners about server hosting, we often talk about which content management system is best for their business. That discussion is often framed in terms of performance — they ask me which content management system is fastest.
I’m not a big fan of New Year’s Resolutions, especially when server security is involved. Security should be a constant concern for anyone doing business on the web. But, as a new year begins, it is a good time for server hosting clients to review the security policies and the systems they have in place. It’s empowering to start the new year confident that everything is working as it should.
It’s time to say goodbye to 2017 and hello to 2018. As we wrap up the end of this year, we take a look at AI finding its way in cybersecurity, the FCC killing net neutrality, and someone accessing internet connection with wet string. Whatever 2018 has to throw upon us, stay ahead of the curve, check out this roundup and enjoy the rest of December’s best content! If you enjoy this collection of the web’s top articles, feel free to follow us over on Facebook, Twitter, and Google+ for the same great content the rest of the year.