WordPress Security Update Announcement

 In Web Design

WordPress Vulnerability Abused and Leads to SEO SPAM

Some of you may know by now that WordPress 4.7.2 was released, including a solution or fix for a severe vulnerability in the WordPress REST API. We, like many other companies, have been monitoring our sites closely to see how and when the attackers would try to exploit this issue which has become more common place following fixes of WordPress core. In less than forty-eight hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online.

No Current Patches

WordPress has an auto-update feature enabled by default, along with an easy one-click manual update process. Despite this, not all website owners are aware of this issue or able to update their site. This is leading to a large number of sites being compromised and ruined.

There are currently four different hacking groups doing mass scans and exploits attempts across the internet. If Google is correct, these defacers seem to be succeeding. Below are four campaigns that our friends at sucuri.net have acknowledged to be associated with this

Defacer Campaign #1

Just for one defacer, which Sucuri calls Campaign #1, Google alone shows 66,000+ pages compromised:
They started the exploits less than forty-eight hours ago. They assume Google hasn’t had time to re-index all compromised pages. They anticipate that the number on Google’s SERP will continue to increase as the re-indexing scans continue.

IP Addresses being used:

  • 176.9.36.102
  • 185.116.213.71
  • 134.213.54.163
  • 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1

Defacer[s] group behind it: by w4l3XzY3.

According to Sucuri it is recommending that these IP addresses should be blocked or investigating their activity via your logs.

Campaign #2

The second campaign is not as successful, with Google only showing 500+ pages compromised. This campaign started just a few hours ago, so probably not enough time for Google to index the pages.

IP Address:

  • 37.237.192.22

Defacer[s] group behind it: Cyb3r-Shia.

Campaign #3 and #4

This campaign is a bit unique, where two different defacers are sharing the same IP address. Each defacer has compromised over 500 pages (according to Google).

IP Address:

  • 144.217.81.160

Defacer[s] group behind it: By+NeT.Defacer & By+Hawleri_hacker

Sucuri will not name the defacers as they do it for publicity, but are sharing their names so we can track their growth of the issue and better serve our clients.

Website Spam Will Be Major Issue

The defacement campaigns are going strong and increasing by the day. What we expect to see is a lot more SEO spam attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the best route to abuse this vulnerability.

This vulnerability is very recent and lot may change in the next few days. As we get updates we will share them with you.

At this time, we recommend that all WordPress sites be updated to the newest version of WordPress. If you have any questions about the vulnerability, contact us today at 980-322-0518. Safeguard your site before you see an increase in SEO SPAM that will ruin all SEO efforts.