The Growing Threat to WordPress Websites
Over 1,000 WordPress-powered websites have recently fallen victim to a sophisticated malware attack that injects third-party JavaScript code, establishing four separate backdoors. This attack grants persistent access to cybercriminals, enabling them to maintain control over compromised websites even if one access point is detected and removed.
Himanshu Anand, a researcher at c/side, highlighted the severity of the attack in a recent analysis: “Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed.”
The malicious JavaScript is being served through cdn.csyndication[.]com, and as of now, references to this domain have been identified on at least 908 compromised websites.
Understanding the Four Backdoors
The attackers have implemented four distinct backdoors, each designed to ensure long-term control over the affected websites. Below is a breakdown of each backdoor’s function:
- Fake Plugin Installation– The attackers upload and install a fraudulent plugin named “Ultra SEO Processor.” This plugin allows them to execute remote commands and manipulate the website at will.
- Malicious Code Injection into wp-config.php– This backdoor injects JavaScript directly into the wp-config.php file, a critical configuration file that controls WordPress settings, effectively providing attackers with persistent access.
- Unauthorized SSH Key Addition– The attackers add an SSH key to the ~/.ssh/authorized_keys file, allowing them to remotely access and control the website’s hosting server without requiring traditional login credentials.
- Remote Command Execution– This backdoor executes remote commands and fetches another payload from gsocket[.]io, potentially opening a reverse shell to further infiltrate the server.
Mitigation Measures
Website administrators must act swiftly to secure their sites against these vulnerabilities. The following steps can help mitigate the risks associated with this attack:
- Delete unauthorized SSH keysfrom the server to prevent remote access by attackers.
- Rotate WordPress admin credentialsto ensure any stolen passwords become obsolete.
- Monitor system logsfor unusual activity, such as unauthorized login attempts or unexpected file modifications.
- Conduct a full security scanusing reputable malware detection tools.
- Ensure all WordPress plugins and themesare up to date and remove any unverified or outdated extensions.
A Larger Trend: Mass Website Compromises
This incident is part of a broader surge in cyberattacks targeting websites worldwide. Another recent malware campaign has compromised over 35,000 websites, injecting malicious JavaScript designed to hijack user browser sessions and redirect visitors to Chinese-language gambling platforms.
The Scope of the Gambling Redirection Attack
According to cybersecurity experts, this attack primarily targets or originates from regions where Mandarin is widely spoken. Visitors to infected sites are redirected to gambling pages under the “Kaiyun” brand. The attack operates through JavaScript hosted on five domains:
- mlbetjs[.]com
- ptfafajs[.]com
- zuizhongjs[.]com
- jbwzzzjs[.]com
- jpbkte[.]com
ScreamedJungle and Bablosoft JS Target E-Commerce Websites
Further complicating the cybersecurity landscape, Group-IB has recently uncovered another campaign targeting Magento eCommerce websites. The threat actor, dubbed ScreamedJungle, injects a Bablosoft JavaScript (JS) payload to collect user fingerprints.
At least 115 Magento-based eCommerce sites have been affected by this attack. The injected script, part of the Bablosoft BrowserAutomationStudio (BAS) suite, gathers sensitive user and browser data, potentially allowing attackers to mimic legitimate behavior and evade security measures.
Exploiting Known Magento Vulnerabilities
Attackers behind this campaign are exploiting well-documented vulnerabilities in Magento, including:
- CVE-2024-34102(also known as CosmicSting)
- CVE-2024-20720
These security flaws provide an entry point for attackers to implant JavaScript that collects user data for malicious purposes.
According to Group-IB, “Browser fingerprinting is a powerful technique commonly used by websites to track user activities and tailor marketing strategies. However, this information is also exploited by cybercriminals to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities.”
Conclusion: Strengthening Website Security is Critical
The increasing frequency of WordPress and eCommerce website compromises highlights the urgent need for website administrators and business owners to prioritize security measures. The latest attacks emphasize how cybercriminals are evolving their techniques to ensure persistent access and maximize their impact.
To safeguard against these threats, businesses must adopt a proactive approach that includes regular security audits, timely software updates, and robust monitoring systems. Cybersecurity is no longer optional—it’s an essential part of maintaining a safe and trustworthy online presence.
For expert guidance on protecting your website and implementing effective security measures, contact Bullzeye Media Marketing hosting today. Our team is dedicated to ensuring your digital assets remain secure from evolving threats.
