{"id":14277,"date":"2020-05-09T08:15:06","date_gmt":"2020-05-09T08:15:06","guid":{"rendered":"https:\/\/clients.afaghhosting.net\/index.php?rp=\/announcements\/404"},"modified":"2020-05-09T08:15:06","modified_gmt":"2020-05-09T08:15:06","slug":"%d9%85%db%8c%d9%84%db%8c%d9%88%d9%86-%d9%87%d8%a7-%d8%b3%d8%a7%db%8c%d8%aa-%d9%88%d8%b1%d8%af%d9%be%d8%b1%d8%b3%db%8c-%d9%87%da%a9-%d8%b4%d8%af%d9%86%d8%af","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/%d9%85%db%8c%d9%84%db%8c%d9%88%d9%86-%d9%87%d8%a7-%d8%b3%d8%a7%db%8c%d8%aa-%d9%88%d8%b1%d8%af%d9%be%d8%b1%d8%b3%db%8c-%d9%87%da%a9-%d8%b4%d8%af%d9%86%d8%af\/","title":{"rendered":"\u0645\u06cc\u0644\u06cc\u0648\u0646 \u0647\u0627 \u0633\u0627\u06cc\u062a \u0648\u0631\u062f\u067e\u0631\u0633\u06cc \u0647\u06a9 \u0634\u062f\u0646\u062f"},"content":{"rendered":"
\n

Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data.<\/p>\n

The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject \u2013 a malicious JavaScript that redirects visitors and takes advantage of an administrator\u2019s session to insert a backdoor into the theme\u2019s header.<\/p>\n

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site\u2019s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites.<\/p>\n

Due to the sheer volume and variety of attacks and sites that we\u2019ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future. Indications of Compromise (IoCs) are listed below so you can monitor your sites.<\/p>\n

While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it\u2019s only in the past few days that they\u2019ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we\u2019ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.<\/p>\n

All Wordfence users, including Wordfence Premium and free Wordfence users, are protected from XSS attacks via the Web Application Firewall\u2019s built-in XSS protection. The Web Application Firewall also has a set of rules protecting against the attacks we\u2019ve seen attempting to modify the home URL of a site. As these attacks appear to be targeted at vulnerabilities that have been patched for months or years, both Wordfence Premium and free Wordfence users should be protected.<\/p>\n

Targets<\/h2>\n

Many of the targeted vulnerabilities have been attacked in previous campaigns. The most popular vulnerabilities targeted were:<\/p>\n

    \n
  1. An XSS vulnerability in the\u00a0Easy2Map<\/a>\u00a0plugin, which was removed from the WordPress plugin repository in August of 2019, and which we estimate is likely installed on less than 3,000 sites. This accounted for more than half of all of the attacks.<\/li>\n
  2. An XSS vulnerability in\u00a0Blog Designer<\/a>\u00a0which was patched in 2019. We estimate that no more than 1,000 vulnerable installations remain, though this vulnerability was the\u00a0target<\/a>\u00a0of\u00a0previous campaigns<\/a>.<\/li>\n
  3. An options update vulnerability in\u00a0WP GDPR Compliance\u00a0<\/a>patched in late 2018 which would allow attackers to change the site\u2019s home URL\u00a0in addition<\/a>\u00a0to\u00a0other options<\/a>. Although this plugin has more than 100,000 installations, we estimate that no more than 5,000 vulnerable installations remain.<\/li>\n
  4. An options update vulnerability in\u00a0Total Donations<\/a>\u00a0which would allow attackers to change the site\u2019s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, and we estimate that less than 1,000 total installations remain.<\/li>\n
  5. An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been\u00a0targeted in the past<\/a>.<\/li>\n<\/ol>\n

    Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets.<\/p>\n

    Breaking Down the Attack Data<\/h2>\n

    The majority of these attacks are attempting to insert a malicious JavaScript located at\u00a0count[.]trackstatisticsss[.]com\/stm<\/code>\u00a0(typically followed by what appears to be a version query string to prevent caching) into a site in the hopes that they\u2019ll be executed by an administrator\u2019s browser. In some cases these attempts include the plain URI of the malicious script, while in others they rely on String.fromCharCode to obfuscate the injected script location. Earlier iterations of these attacks appear to have used\u00a0ws[.]stivenfernando[.]com\/stm<\/code>\u00a0as the malicious payload.<\/p>\n

    \u00a0<\/p>\n

    \u0627\u0637\u0644\u0627\u0639\u0627\u062a \u0628\u06cc\u0634\u062a\u0631<\/a><\/p>\n

    \u00a0<\/p>\n<\/p><\/div>\n

    \u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

    Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":["post-14277","post","type-post","status-publish","format-standard","hentry","category-27"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/14277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=14277"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/14277\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=14277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=14277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=14277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}