Threat Research

PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

Securonix

Wordfence alerted to an actively exploited zero-day vulnerability in BackupBuddy that allowed unauthenticated file downloads from WordPress sites. Nearly 5 million attacks were blocked since August 26, 2022, and a patched version 8.7.5 was released on September 2, 2022. #BackupBuddy #WordPress

Keypoints

  • The BackupBuddy WordPress plugin (versions 8.5.8.0–8.7.4.1) contained a vulnerability enabling unauthenticated file downloads from the server.
  • Attacks targeting this vulnerability began ~August 26, 2022, with nearly 4.95 million attempts blocked by Wordfence.
  • A patch was released in version 8.7.5 (September 2, 2022); site owners are urged to update to the patched version.
  • Wordfence firewall protections, including directory traversal and file inclusion filters, protected all users; premium customers benefited from IP Blocklist enforcement.
  • Attackers attempted to access sensitive files such as /wp-config.php and /etc/passwd, among others (e.g., .my.cnf, .accesshash).
  • Indicators of compromise include specific HTTP parameters (local-download, local-destination-id) and path traversal patterns in requests; compromised sites may show these in logs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability in the BackupBuddy plugin allowed unauthenticated users to download arbitrary files from the affected site. “The vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site.”
  • [T1552.001] Credentials in Files – Attackers attempted to read sensitive files such as /wp-config.php and /etc/passwd. “The top files … /wp-config.php and /etc/passwd” and similar targets were observed.
  • [T1005] Data from Local System – The vulnerability enabled downloading local backups via the Local Directory Copy, effectively exfiltrating data from the server. “download local back-up files” was referenced in the context of the vulnerable function.

Indicators of Compromise

  • [IP Address] Attacking IP addresses – 195.178.120.89, 51.142.90.255, and 8 more IPs
  • [File] Targeted sensitive files – /wp-config.php, /etc/passwd, and 2 more files
  • [HTTP Parameter] Local download indicators – local-download, local-destination-id parameters in requests
  • [Software Version] Affected versions – 8.5.8.0 to 8.7.4.1

Read more: https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/?web_view=true

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint