Email automation and delivery service Mailgun was one of the many companies that have been hacked today as part of a massive coordinated attack against WordPress sites.
The attacks exploited an unpatched cross-site scripting (XSS) vulnerability in a WordPress plugin named Yuzo Related Posts.
The vulnerability allowed hackers to inject code in vulnerable sites, which they later used to redirect incoming visitors to all sorts of nasties, such as tech support scams, sites peddling malware-laced software updates, or plain ol' spammy pages showing ads.
Mailgun was just one of random victim of these attacks, but not the only one. Other site owners reported similar issues with their sites on the plugin's support forum on WordPress.org [1, 2, 3], and on other web-dev discussion forums, such as StackOverflow.
Researcher dropped zero-day exploit online without warning
Today's massive hacking campaign could have been avoided if only the web developer who found the Yuzo Realted Posts plugin vulnerability would have reported the issue to its author instead of publishing proof-of-concept code online.
As a result of making this proof-of-concept code available for everyone, the plugin was removed from the official WordPress Plugins repository on the same day, preventing future downloads until a patch was to be made available.
However, this didn't remove the plugin from all the sites around the world, which all remained vulnerable. At the time of its removal, the plugin had been already installed on more than 60,000 sites, according to official WordPress.org stats.
Things got so desperate today in the early hours of the attacks that the plugin's author called on users to "remove this plugin immediately" from their sites until an update would be available.
There's a group going after WordPress sites
According to Defiant, the company behind the WordPress firewall plugin, the hacking group behind today's attacks is the same group which exploited two zero-days in two other plugins in previous weeks --namely in the Easy WP SMTP and Social Warfare plugins.
"Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53," said Dan Moen, Defiant researcher. "That same IP address was used in the Social Warfare and Easy WP SMTP campaigns."
The same connection between today's campaign and the previous one targeting the two other plugins was also made by security researchers at Sucuri.
Mailgun did not reply to a request for comment before this article's publication; however, the company removed the plugin and was back up and running within two hours of detecting the problem on its site.
"Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue," the company said in its status report page.
More vulnerability reports:
- Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API
- Tens of thousands of cars were left exposed to thieves due to a hardcoded password
- Vulnerability found in Xiaomi phones' pre-installed security app
- Backdoor code found in popular Bootstrap-Sass Ruby library
- Microsoft's April Patch Tuesday comes with fixes for two Windows zero-days
- Researcher publishes Google Chrome exploit on GitHub
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic