Criminals have inevitably begun to attempt to monetize attacks against WordPress sites still vulnerable to a severe REST API endpoint vulnerability silently patched in the recent 4.7.2 security update.
While more than one million websites have been defaced, researchers are now beginning to see some defacements leave behind links to rogue pharmaceutical websites trying to spam users into buying drugs or lure them into phishing scams for their payment card information.
The attackers are taking advantage of websites running on the WordPress platform that have not yet updated to the most recent version. Researchers at SiteLock estimate that some 20 attackers are vying for these illicit dollars, some defacing sites multiple times, sometimes removing links and solicitations left behind by other criminals and replacing those with their own.
“The ease of execution is so low and so easy, we’re seeing script kiddies pick up this exploit and have a field day with it,” said Logan Kipp of SiteLock. “We’re seeing these 20 or so different actors fighting over control and overwriting defacements, many times minutes apart.”
The defacements started out largely as bragging escapades by hackers, but quickly escalated to these profit-motivated attacks.
“This is the first case we’re aware of where someone is trying for monetary gain,” Kipp said. “They’re trying to get you to visit rogue pharmacy sites where there’s an equally high chance they’re going to steal your credit card number and run. North of 50 percent of the time, that’s the case with these sites.”
The vulnerability, found and privately disclosed by researchers at Sucuri, allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.
“It’s very simple to execute,” Kipp said of the exploit, which is publicly available on many sources. “We’re seeing people use it this way—20 hackers with 100 or more defacements apiece—now looking to make money. This was absolutely inevitable.”
The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched earlier this month because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable; SiteLock estimates this number to be between 15 percent and 20 percent of WordPress sites.
“Short of patching, it’s a simple fix: Treat it like a cross-site scripting vulnerability and sanitize the values coming in over the API controller,” Kipp said. “Doing this could neuter the problem.”
Overall, WordPress site defacements because of this vulnerability escalated quickly from tens of thousands to more than 800,000 in a 48-hour period les sthan two weeks ago. The reason, according to WordFence, a WordPress security plugin developer, is that attackers refined attacks to bypass a rule that WordFence and others had implemented to stem the tide of attacks. Two different campaigns tracked by WordFence were responsible for close to 700,000 defacements on their own.
“In the actual core, having a vulnerability is rare,” Kipp said. “This was a big one yes, but it was handled well and patched in a short amount of time. Most users are not impacted.”