Two sentences: Wordfence reports a surge of attacks targeting Kaswara Modern WPBakery Page Builder Addons exploiting CVE-2021-24284 to upload PHP files and take over sites; the plugin is closed with no patch available, leaving all versions affected. Wordfence recommends removing the plugin entirely and notes protection is active for Wordfence users, with several hundred thousand daily attempts observed. #Kaswara #WPBakery #CVE2021-24284 #NDSW #Wordfence
Keypoints
- Attack activity sharply increased against Kaswara Modern WPBakery Page Builder Addons, which contains an unpatched arbitrary file upload vulnerability (CVE-2021-24284).
- The campaign uses a POST to /wp-admin/admin-ajax.php with action=uploadFontIcon to upload malicious files to compromised sites.
- A typical payload sequence involves a zip named a57bze8931.zip exporting a57bze8931.php, an attacker-controlled uploader, enabling continued file uploads.
- Observed indicators include the MD5 hash d03c3095e33c7fe75acb8cddca230650 and files like a57bze8931.zip, a57bze8931.php, and additional names such as inject.zip, king_zip.zip, null.zip, and plugin.zip.
- NDSW Trojan activity is seen, injecting code into legitimate JavaScript files and redirecting visitors to malicious sites (e.g., the string ;if(ndsw== in JS).
- Scope and impact: about 10,215 attacking IPs were seen, with 1,599,852 unique sites targeted and 443,868 average daily exploit attempts; majority of targets were not running the vulnerable plugin.
- Remediation: remove Kaswara Modern WPBakery Page Builder Addons; Wordfence protection is in place for users, and professional incident response options are offered by Wordfence.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The campaign is exploiting CVE-2021-24284 to upload a PHP file, leading to code execution and site takeover. βarbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.β
- [T1105] Ingress Tool Transfer β Attackers upload a zip file named a57bze8931.zip which, when extracted to /wp-content/uploads/kaswara/icons/, yields a57bze8931.php that can be used to upload more files. βzip file named a57bze8931.zipβ and βa57bze8931.php extracted into the /wp-content/uploads/kaswara/icons/ directory.β
- [T1505.003] Web Shell β The uploaded PHP file (a57bze8931.php) is an uploader under the control of the attacker, allowing continued file uploads. βThe malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650β and βthis file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.β
- [T1059.007] JavaScript β NDSW trojan injects code into legitimate JavaScript files and redirects site visitors to malicious websites. βinjects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites.β
Indicators of Compromise
- [IP Address] β Top attacking sources observed: 217.160.48.108 (1,591,765 exploit attempts blocked) and 5.9.9.29 (898,248 exploit attempts blocked) as examples of prolific hosts driving the campaign.
- [IP Address] β Additional observed attackers include 2.58.149.35 (390,815), 20.94.76.10 (276,006), and 20.206.76.37 (212,766).
- [URL] β Endpoint used in attacks: /wp-admin/admin-ajax.php?action=uploadFontIcon.
- [File name] β a57bze8931.zip and a57bze8931.php observed in the campaign (ZIP containing a PHP uploader and its extracted location).
- [File name] β inject.zip, king_zip.zip, null.zip, plugin.zip (additional filenames observed among attempts).
- [MD5 hash] β d03c3095e33c7fe75acb8cddca230650 (hash of the malicious a57bze8931.php uploader).
- [Directory] β /wp-content/uploads/kaswara/icons/ (where a57bze8931.php is extracted).
- [String] β ;if(ndsw== (NDsW JavaScript injection indicator detected in compromised JS files).
Read more: https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/