• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress REST API Vulnerability Abused in Defacement Campaigns

February 6, 2017Daniel CidEspanolPortugues

779
SHARES
FacebookTwitterSubscribe

WordPress 4.7.2 was released two weeks ago, including a fix for a severe vulnerability in the WordPress REST API. We have been monitoring our WAF network and honeypots closely to see how and when the attackers would try to exploit this issue the wild.

In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.

Patches Are Not Being Applied

WordPress has an auto-update feature enabled by default, along with an easy 1-click manual update process. Despite this, not everyone is aware of this issue or able to update their site. This is leading to a large number of sites being compromised and defaced.

We are currently tracking four different hacking (defacement) groups doing mass scans and exploits attempts across the internet. We see the same IP addresses and defacers hitting almost every one of our honeypots and network.

If Google is correct, these defacers seem to be succeeding.

Campaign #1

Just for one defacer, which we call Campaign #1, Google alone shows 66,000+ pages compromised:

They started the exploits less than 48 hours ago. We assume Google hasn’t had time to reindex all compromised pages. We anticipate that the number on Google’s SERP will continue to increase as the re-indexing scans continue.

IP Addresses being used:

  • 176.9.36.102
  • 185.116.213.71
  • 134.213.54.163
  • 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1

Defacer[s] group behind it: by w4l3XzY3.

We recommend blocking these IP addresses or investigating their activity via your logs. Specially if you didn’t update in time.

Campaign #2

The second campaign is not as successful, with Google only showing 500+ pages compromised. This campaign started just a few hours ago, so probably not enough time for Google to index the pages.

IP Address:

  • 37.237.192.22

Defacer[s] group behind it: Cyb3r-Shia.

Campaign #3 and #4

This campaign is a bit unique, where two different defacers are sharing the same IP address. Each defacer has compromised over 500 pages (according to Google).

IP Address:

  • 144.217.81.160

Defacer[s] group behind it: By+NeT.Defacer & By+Hawleri_hacker

We don’t like naming defacers as they do it for publicity, but we are sharing their names so we can track their growth better and compare with other security companies. If you have been hacked by any of these, or you see their names showing up on any of your blog posts, they likely used this vulnerability to compromise the site.

Spam SEO Will Be a Problem

The defacement campaigns are going strong and increasing by the day, but we believe that it will slow down in the next few days. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.

This is the currently exploitation attempts against our WAF Network for the last 5 days:

This vulnerability is very recent and lot may change in the next few days. We will keep sharing updates as this issue progresses.

Be on the know:

We have released a WordPress Security Guide that allows you to be up to date with vulnerabilities and the best practices you need to be able to effectively protect your website.

 

779
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, WordPress SecurityTags: SEO Spam

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.