In mid-December, security researchers discovered a new malware campaign, dubbed SoakSoak, was responsible for the infection of more than 100,000 WordPress sites in just two days. The malware caused blogs to be used as attack platforms, installing malware on the machines of those who visit the sites and perpetuating the cycle of infection. While multiple types of websites could be exploited with this malware, those across the WordPress hosting spectrum have been predominantly affected.
According to security analysts, the malicious software feeds off of a vulnerability in a slideshow plug-in known as RevSlider. The team behind the plug-in has released a patch for the flaw, but the older, vulnerable version is still available packaged within WordPress theme bundles, so many sites still host the flaw. So far, Google has blocked 11,000 domains in an effort to mitigate the effects of the attack, but that is only a small percentage of the total number of sites infected. One in every six websites around the world is hosted through WordPress, meaning an untold number of sites could eventually host the malware.
“This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term,” said cybersecurity expert Daniel Cid in an interview with The Guardian.
Defending against malware infection
While active sites with diligent administrators have been able to remove the offending code and institute firewalls, blogs with less capable management could continue to host the vulnerability indefinitely. WordPress is used by more than 70 million sites as a content management system, ranging from personal blogs to major websites like Time.com. However, this specific malware appears to only be affecting self-hosted WordPress sites.
The campaign was pulling malware from a site hosted with a Russian domain which is currently offline, leading researchers to believe that the attacks spread more quickly than the hackers originally thought. It has yet to be determined what the purpose of the malware attack is, but odds are the results won’t be pretty.
These types of attacks are likely to occur more frequently in the new year as cybercriminals and their methods become more sophisticated. Enterprises looking for a way to reliably secure their sensitive networks would be wise to install an Anti-Virus program as part of a layered security solution. Faronics Anti-Virus software provides companies with multiple cybersecurity tools in a single solution, including Web filtering, rootkit defense, anti-virus, anti-rootkit and anti-spyware capabilities.