Zero-day in WordPress SMTP plugin abused by two hacker groups

Hacker groups are creating backdoor admin accounts on vulnerable sites and redirecting users to tech support scams.

WordPress Easy WP SMTP

Two cyber-security companies providing firewall plugins for WordPress sites have detected attacks abusing a zero-day vulnerability in a popular WordPress plugin.

At least two hacker groups have been observed abusing the zero-day to change site settings, create rogue admin accounts to use as backdoors, and then hijacking traffic from the hacked sites.

Plugin zero-day exploited before patch

The zero-day abused by these two groups resides in "Easy WP SMTP," a WordPress plugin with over 300,000 active installs. The plugin's main feature is to let site owners configure the SMTP settings of their site server's outgoing emails.

Attacks abusing this zero-day were first spotted last Friday, March 15, by NinTechNet, the company behind the Ninja Firewall for WordPress.

The issue was reported to the plugin's author, who patched the zero-day on Sunday, March 17, with the release of v1.3.9.1.

Attacks didn't stop, though, but they continued throughout the week, with hackers trying to take over as many sites as they could before site owners applied the patch.

How attacks unfolded

Defiant, the cyber-security firm who manages the Wordfence WordPress firewall, said it continued to detect attacks even after the patch. In a report published earlier today, the company broke down how the two hacker groups operated.

According to Defiant, attacks exploited a settings export/import feature that was added to the Easy WP SMTP plugin in version 1.3.9. Defiant said hackers found a function part of this new import/export feature that allowed them to modify a site's overall settings, not just those related to the plugin.

Hackers currently scan for sites using this plugin and then modify settings to enable user registration, an operation that many WordPress site owners have disabled for security reasons.

During initial attacks spotted by NinTechNet, hackers modified the "wp_user_roles" option that controls the permissions of the "subscriber" role on WordPress sites, giving a subscriber the same abilities of an admin account.

This means that hackers would register new accounts that appeared as subscribers in the WordPress site's database, but actually had the permissions and abilities of an admin account.

In subsequent attacks detected by Defiant, hackers switched their modus operandi and began modifying the "default_role" setting instead of the "wp_user_roles" one. This setting controls the account type of newly registered users. In this new attack, all newly created accounts are admin accounts.

This last attack routine is now the one the two hacker groups use, according to Defiant.

"Both of the campaigns launch their initial attacks identically, by using the proof of concept (PoC) exploit detailed in NinTechNet's original disclosure of the vulnerability. These attacks match the PoC exactly, down to the checksum," said Defiant security researcher Mikey Veenstra.

But this is where the similarities between the two groups end. Defiant said the first of the two groups stops any activity after creating a backdoor admin account on hacked sites, while the second group is much more aggressive.

Veenstra said this second group modifies hacked sites to redirect incoming visitors to malicious sites, with the most common theme being tech support scam sites.

Fixing vulnerable sites

All sites that use the Easy WP SMTP plugin are advised to update to the latest version, v1.3.9.1. After updating the plugin, both NinTechNet and Defiant recommend auditing a site's user section for newly added accounts --both at the subscriber and admin levels.

Updating to the latest plugin version is recommended, as WordPress security firm White Fir Design, which also published a report on these attacks, also documented other security flaws in the same plugin that might get abused [1, 2, 3, 4].

In all this, a black ball goes to the WordPress forum moderator team, which appears to have been more preoccupied with forum users using the "zero-day" term to describe this vulnerability and the ongoing attacks.

The WordPress forum moderation team has a long history of censoring and downplaying security issues and attacks, leaving users of some plugins in the dark about unpatched vulnerabilities and ongoing attacks, topics that some times get removed from the WP forums.

A report published by cyber-security firm Sucuri this year revealed that 90 percent of all hacked content management systems (CMSes) are WordPress sites.

UPDATE: A few hours after the publication of this article, news broke [1, 2, 3] of a second zero-day exploited by hackers to take over WordPress sites. This second zero-day impacts the Social Warfare plugin, which the WordPress team had temporarily removed from the main WordPress Plugins repository, pending an update from its developer.

More vulnerability reports: