Holiday season spikes in attack attempts were driven by reduced monitoring, with two notable waves targeting the Downloads Manager plugin. The findings emphasize removing outdated plugins, keeping WordPress components updated, and relying on firewall protections to block these attempts. #MisterSpyBotV7 #SaberBOTV1
Keypoints
- Attack activity increases during major holidays when organizations run with skeleton staffing and monitoring may be reduced.
- Two spikes specifically targeted the Downloads Manager plugin by Giulio Ganci, occurring on December 24, 2022 and January 4, 2023.
- Over the reporting period, 466,827 attacking IP addresses attempted to exploit 2,663,905 protected websites; the top 10 IPs accounted for 90,693,836 exploit attempts.
- Malicious payloads included webshells such as Mister Spy Bot V7 and Saber BOT V1, uploaded after files like readme.txt or debug.log were found.
- Untargeted spikes involved known malicious user-agents, correlating with a broad rise in blocked attacks and probes for hidden webshells.
- Recommendations include removing the vulnerable Downloads Manager plugin, updating all components, and using firewall/malware scanning (Wordfence) or incident response services if a compromise is suspected.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website. ‘The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website.’
- [T1505.003] Web Shell – Attackers used web shells such as Mister Spy Bot V7 and Saber BOT V1 to upload payloads, obtain reverse shells, and perform actions like defacement and user registration. ‘The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system, and allows for files to be uploaded. In addition to these features, Mister Spy payloads typically include a reverse shell that allows a successful attacker to obtain additional information about the content management system being used on the website, install additional shells, deface the website, register malicious users on the website, and collect configuration details, among other features.’
- [T1082] System Information Discovery – The Mister Spy Bot V7 payload reveals OS information and site root location, aiding reconnaissance. ‘The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system…’
Indicators of Compromise
- [Filename] Webshell filenames observed – up__jpodv.php, saber.php, and 2 more
- [IP Address] Top Ten IP Addresses Targeting Downloads Manager – 158.69.23.79, 109.248.175.80, and 8 more
- [IP Address] Top Ten IP Addresses Using Known Malicious User-Agents – 80.76.51.29, 85.31.44.203, and 8 more
- [User-Agent] Top Ten User-Agents Targeting Downloads Manager – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36…, Mozilla/5.0 (Linux; Android 11; ONEPLUS A6013) AppleWebKit/537.36…, and 8 more
- [User-Agent] Top Ten Blocked Known Malicious User-Agents – Mozlila/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36…, wp_is_mobile, and 8 more