Wordfence experts say that attackers have come up with a new way to compromise sites running WordPress. Attackers use badly protected WordPress.com accounts and Jetpack plugin to install plugins with backdoors to various sites.
According to researchers, a new type of attack is used by criminals since May 16, 2018. This is also confirmed by reports of injured users on the WordPress.org forums.
At the first stage of the attack, hackers pick up a username and password (credentials are taken from various large leaks databases) that match the WordPress.com account. Since the problem of re-using passwords is still one of the main weaknesses of users, there is no shortage of such accounts for intruders.
Here it is worth noting that WordPress.com accounts are mainly used to manage blogs hosted on the Automattic platform, then there are differences from the accounts on WordPress.org or the administrative accounts of individual sites running WordPress CMS.
However, a few years ago, Automattic developers presented to the public the open source analytic plug-in Jetpack, took based on the version used at that time on WordPress.com. Now the open source version of this plug-in has acquired many useful functions and is widely used by administrators of free-standing sites based on WordPress.
One of the features of the Jetpack plug-in is the ability to link between a separate WordPress site and an account on WordPress.com. In this way, the Jetpack panel can be used directly from under WordPress.com, and with it, you can simultaneously manage hundreds of WordPress-based sites from one location. To do this, you need to install Jetpack on each site, but WordPress.com offers the option to install Jetpack directly from its control panel. The plugin does not even need to be hosted in the official WordPress.org repository, which gave attackers the ability to download arbitrary ZIP files containing malicious code to sites.
According to Wordfence, attackers intercept account control WordPress.com, and if the account is tied to free-standing sites running WordPress, criminals get the opportunity to install on them malicious plug-ins that contain a backdoor. So, on May 16, unknown hackers were distributing pluginsamonsters in this way, and on May 21 they switched to the wpsmilepack plug-in. While attackers use such backdoors to send spam and create pages of fake technical support.
The exact number of affected resources is unknown, and researchers note that even to detect such an attack is very difficult. The fact is that malicious plug-ins are visible in the control panel of WordPress.com, but are "invisible" in the list of plug-ins on the affected sites themselves. As a result, experts urge website owners who also have accounts on WordPress.com to check the list of installed plug-ins and, if necessary, remove malicious solutions, change passwords and enable two-factor authentication.