Tech

Second WordPress hacking campaign underway, this one targeting AMP for WP plugin

After targeting WP GDPR Compliance plugin, hackers are now going after sites using the AMP for WP plugin.

Written by Catalin Cimpanu, Contributor on Nov. 20, 2018

A second vulnerability in a high-profile WordPress plugin has come under active exploitation in the span of a week, ZDNet has learned from WordPress security firm Defiant.

Security

Attacks are currently ongoing, the company said today in a detailed blog post after ZDNet reached out for comment yesterday. This is the second separate wave of hacking attempts detected against WordPress sites after Defiant discovered last week a similar hacking campaign aimed at WordPress sites using the WP GDPR Compliance plugin.

But for this most recent hacking campaign, hackers are targeting a vulnerability that impacts AMP for WP (formerly Accelerated Mobile Pages), a WordPress plugin installed on more than 100,000 sites.

This vulnerability came to the general public's attention last week after web security firm WebARX published proof-of-concept code on how to exploit it on its blog.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

However, the actual vulnerability was discovered by a Dutch security researcher named Sybre Waaijer, who found and reported the issue to the maintainers of the WordPress Plugins repository in mid-October.

The AMP for WP plugin was removed from the official WordPress Plugins repo between October 22 and 31, as developers worked and released a security fix for the reported issue (AMP for WP version 0.9.97.20).

The vulnerability is similar to the one reported in the WP GDPR Compliance plugin, as attackers can use the plugin's vulnerable code to make site-wide changes to site options to which the plugin shouldn't have had access to.

But it appears that the publication of the proof-of-concept code last week had drawn hackers' attention to this largely unknown issue. Now, Defiant experts say, that hackers have incorporated this new vulnerability into a "sophisticated attack campaign."

The campaign is warranted of the "sophisticated" tag because hackers aren't just blindly abusing the AMP for WP vulnerability directly, but have combined it with another cross-site scripting (XSS) security bug.

Attackers scan the web for vulnerable sites using the AMP for WP plugin, use the XSS vulnerability to store malicious code in various parts of the sites, and wait for an admin user to access those site sections.

The malicious code loads a JavaScript file from the sslapis.com domain which attempts to call URLs only accessible to users with admin accounts.

According to Defiant, this JavaScript code will allow hackers to create an admin user named "supportuuser", but will also access the code editor section of other plugins, where they plant other malicious code that acts as a backdoor in case the "supportuuser" account is removed.

The campaign is in full force, Defiant warns, and WordPress site admins should update the AMP for WP plugin as soon as possible, and review if a new admin user account named "supportuuser" has appeared out of the blue in their site's backend.