Wordfence Threat Intelligence tracked a targeted exploit campaign against WooCommerce Payments CVE-2023-28121, which allowed unauthenticated attackers to obtain administrative privileges on vulnerable sites. The attackers used a multi-stage workflow including plugin enumeration, WP Console-based code execution, persistence via a file uploader, and creation of rogue administrator accounts, with attacks concentrated from a small set of IPs. #CVE-2023-28121 #WooCommercePayments #Wordfence #WPConsole #readme.txt #ac9edbbe
Keypoints
- The campaign targeted the WooCommerce Payments vulnerability (CVE-2023-28121) on more than 600,000 sites, peaking with 1.3 million attacks against 157,000 sites over a weekend in July 2023.
- The vulnerability allowed unauthenticated attackers to obtain administrative privileges, rated as Critical (CVSS 9.8).
- Wordfence’s firewall protections have shielded all users since April 2023, with Premium/Care/Response protections available earlier in March 2023.
- Early warning signs included plugin-readme.txt enumeration requests in the wp-content/plugins/woocommerce-payments/ directory across millions of sites.
- Most attacks originated from a defined set of IPs, while readme.txt requests were spread across thousands of IPs, with only a minority of those IPs doing both readme requests and attacks.
- Attackers used a header to impersonate administrative activity (X-Wcpay-Platform-Checkout-User: 1), installed the WP Console plugin to execute code, and placed a file uploader to establish persistence, including creating randomized admin users like ac9edbbe.
- Defenders are advised to check for unauthorized plugins or administrator users on vulnerable sites and consider Wordfence Incident Response/Scanner services for remediation.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites. ‘The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8.’
- [T1068] Exploitation for Privilege Escalation – The same vulnerability is used to escalate to administrative privileges: ‘to obtain administrative privileges on vulnerable websites.’
- [T1059] Command and Scripting Interpreter – Attacks use WP Console to ‘execute malicious code’ on the site. ‘Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence.’
- [T1505.003] Web Shell – The WP Console workflow facilitates code execution and persistence mechanisms typically associated with web shells. ‘the WP Console plugin… to execute malicious code and place a file uploader in order to establish persistence.’
- [T1136] Create Account – Attackers create malicious administrator users with randomized alphanumeric usernames such as ‘ac9edbbe’.
- [T1518.001] Software Discovery – The campaign used readme.txt enumeration to detect if WooCommerce Payments is installed: ‘readme.txt requests were distributed over thousands of IP addresses – while nearly 5,000 IP addresses sent both readme.txt requests and actual attacks…’
Indicators of Compromise
- [IP Address] The majority of attacks came from specific IPs – 194.169.175.93, 2a10:cc45:100::5474:5a49:bfd6:2007, and 5 more IP addresses (103.102.153.17, 79.137.202.106, 193.169.194.63, 79.137.207.224, 193.169.195.64)
- [MD5 Hash] Payload/hash left by the uploader – fb1fd5d5ac7128bf23378ef3e238baba
- [File Name] Readme indicator for plugin presence – readme.txt (wp-content/plugins/woocommerce-payments/readme.txt)