December 5, 2023 at 11:21AM
Cybercriminals are circulating a bogus WordPress security email, claiming to resolve a fake RCE vulnerability with a “patch” that is actually a backdoor for site hijacking. No infections are reported yet, but users are urged not to install the offered plugin and to be wary of phishing attempts.
Meeting Takeaways:
1. Fake Security Alert:
– WordPress users are being targeted by a phishing campaign through emails pretending to be from WordPress.
– These emails alert users about a non-existent RCE vulnerability, CVE-2023-45124.
2. Malicious “Patch”:
– Users are prompted to download a fake patch which is actually malware.
– Installing the so-called patch creates a backdoor in the website and an unauthorized admin account.
3. Consequences of the Backdoor:
– Unauthorized access for attackers, enabling them to inject ads, redirect visitors, or steal sensitive information.
– Potential for DDoS attacks and ransom demands for stolen website data.
4. Campaign Status:
– As of the meeting, no infections have been reported as the campaign relies on user action to succeed.
5. Spreading Tactics:
– Victims are falsely reassured of the “successful patch” and encouraged to distribute the fake patch further.
6. Protection Tips:
– Be aware of the high risk due to WordPress’s large user base.
– Be cautious of phishing emails and fake plugins.
7. Indicators of Compromise:
– Presence of a “wpsecuritypatch” user, “wp-autoload.php” file, or certain suspicious folders in the WordPress installation.
– Outgoing requests to an attacker-controlled site.
– WordPress site owners should note that these indicators may change over time.
8. Recommendations:
– Do not click any links in suspicious emails, including “unsubscribe” links.
– Stay informed and follow up on updates from security researchers, like the upcoming Wordfence post for more details.
Action items might include alerting the IT department to educate users about this phishing attempt, ensuring that security systems are updated to recognize these threats, and continuously monitoring for any signs of compromise described in the notes.