Since Sunday, unidentified attackers have been indiscriminately infecting WordPress websites with malware by exploiting a previously disclosed vulnerability in the Slider Revolution plugin, according to security company Sucuri.
SoakSoak[dot]ru is the website being used to distribute the malware, Tony Perez, CEO of Sucuri, told SCMagazine.com in a Monday email correspondence, adding that Sucuri currently does not have more details on the website and whether it was only created for use in this campaign.
Sucuri had observed more than 100,000 infected WordPress websites by the time the company initially published a blog post on Sunday, and also noted that Google had blacklisted more than 11,000 domains. Those numbers have been increasing, Perez said.
“[In] less than 24 hours it was 11,000, today this morning, it was over 15,000…that means it's spreading fast and Google is usually a bit slower,” Perez said. “If they picked it up that fast it talks to the scale. Our estimates based on our data has it [at] over [100,000 infections] at the moment, and rising.”
Although it appears to be a drive-by download, further specifics about the malware and its capabilities are unclear at the moment, Perez said. The identity of the attackers is also unclear, and Perez was only speculating when he said that financial gain or data theft are possible motivations behind the campaign.
As for the specific attack vector, Sucuri performed forensics on several impacted WordPress websites and each analysis has led the company to believe that the attackers are exploiting the vulnerability in the Slider Revolution plugin, which is used for displaying slides, Perez said.
“We've found a series of exploit tools targeting [the plugin], attacks on the plugin have been on the rise, and a very large percentage of the sites affected have had it installed – on the site, or somewhere in the environment,” Perez said.
Daniel Cid, CTO of Sucuri, published a follow-up blog post on Monday that outlines the attack sequence and provides additional details with regard to the attack vector. He went on to write that the Slider Revolution plugin cannot easily be upgraded due to it being a premium plugin, and added that some site operators have no idea that they even have the plugin.
“This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term,” Cid wrote.
WordPress site operators using the Slider Revolution plugin should stay alert.
“Any [WordPress] sites leveraging the [Slider Revolution] plugin, especially the old version, should consider themselves on notice as the attacks continue to ramp up,” Perez said. “Once in the environment though they should consider all sites within the stack, regardless of platform, compromised.”
In the Monday post, Cid provides tips to consider when removing the infection. Perez said that operators need to start using website firewalls to address this and other similar issues because the “automated nature of things” makes it challenging for everyday users to keep up.