Threat Research

Spikes in Attacks Serve as a Reminder to Update Plugins

Securonix

Keypoints

  • Spikes in exploit attempts targeted Kaswara Modern VC Addons (<= 3.0.1) and Adning Advertising (<= 1.5.5) plugins, with firewall rules already in place for Wordfence users.
  • The holiday/ weekend timing suggests attackers exploit when site admins are less attentive.
  • During the spikes, 1,969,494 Kaswara sites and 1,075,458 Adning sites were observed hitting these vulnerabilities, far above normal block volumes.
  • The Kaswara vulnerability allows unauthenticated arbitrary file uploads, enabling PHP uploads and remote code execution on vulnerable WordPress sites.
  • The Adning vulnerability includes unauthenticated file upload and unauthenticated file deletion (potentially deleting wp-config.php), leading to full site compromise.
  • At disclosure, Kaswara affected about 8,000 WordPress users; Adning affected about 680 users; both plugins remained unpatched or only partially patched in some cases.
  • Recommendation: keep all website components up to date and consider a Web Application Firewall to block exploits; remove Kaswara if still installed and upgrade Adning.

MITRE Techniques

  • [T1190] Exploitation of Public-Facing Application – Attackers exploit an unpatched plugin vulnerability to upload files and potentially achieve remote code execution. Quote: β€œβ€¦could ultimately lead to a full site takeover due to the fact that the ability to upload PHP files to servers hosting WordPress makes remote code execution possible.”
  • [T1485] Data Destruction – An unauthenticated arbitrary file deletion vulnerability could be used to destroy critical files (e.g., deleting wp-config.php) and compromise the site. Quote: β€œβ€¦an unauthenticated arbitrary file deletion vulnerability that could just as easily be used for complete site compromise by deleting the wp-config.php file.”

Indicators of Compromise

  • [IP] Kaswara top ten IPs – 40.87.107.73, 65.109.128.42, and 8 more
  • [IP] Adning top ten IPs – 65.109.128.42, 65.108.251.64, and 8 more
  • [Filename] Kaswara common uploaded filenames – a57bze8931.zip, bala.zip, and 3 more
  • [Filename] wp-config.php – targeted/deleted in potential attacks (mentioned as a risk in the Adning vulnerability context)
  • [User-Agent] Kaswara top user-agent strings – Mozlila/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36… Moblie Safari/537.36, Mozlila/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36… X-Middleton/1
  • [User-Agent] Adning top user-agent strings – python-requests/2.28.1, Mozlila/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36…

Read more: https://www.wordfence.com/blog/2022/12/spikes-in-attacks-serve-as-a-reminder-to-update-plugins/