Recent reports indicate that over 1,000 WordPress-based websites have fallen victim to an attack involving the injection of malicious third-party JavaScript code, which establishes four distinct backdoors for attackers. This technique allows cybercriminals to regain access to compromised systems even if one entry point is discovered and removed, as noted by Himanshu Anand, a researcher from c/side. Current data shows that approximately 908 websites reference the malicious domain cdn.csyndication[.]com, the source of this JavaScript attack.
The malicious code deploys functions that serve to facilitate unauthorized access and control over affected systems. The first backdoor installs a counterfeit plugin identified as “Ultra SEO Processor,” which can execute commands issued by the attackers. The second backdoor compromises the wp-config.php file by injecting harmful JavaScript. Meanwhile, the third backdoor integrates an attacker-controlled SSH key into the ~/.ssh/authorized_keys file, thereby ensuring persistent remote access. The fourth backdoor is engineered to run remote commands and retrieve further malicious code from gsocket[.]io, likely responsible for establishing a reverse shell.
To counter this threat, affected users are advised to remove any unauthorized SSH keys, rotate their WordPress admin credentials, and diligently monitor system logs for unusual activities. These measures are crucial in mitigating the risks associated with this multi-vector attack.
In a related context, cybersecurity experts have reported that a separate malware campaign has successfully compromised over 35,000 websites, injecting malicious JavaScript that effectively hijacks browser windows and redirects users to Chinese-language gambling sites. This occurrence is speculated to be targeting regions where Mandarin is prevalent, with affected websites redirecting visitors to gambling content branded as ‘Kaiyun.’ The JavaScript responsible for this is hosted on five different domains, serving as handlers for the main payload that executes the redirects.
Moreover, findings from Group-IB reveal a new threat actor, referred to as ScreamedJungle, actively injecting a JavaScript code named Bablosoft JS into compromised Magento websites. This script is intended to capture fingerprints of users visiting affected platforms, impacting over 115 e-commerce sites thus far. The injected script is an element of the Bablosoft BrowserAutomationStudio suite, equipped with additional functionalities to gather data about user systems and browsers.
To exploit these vulnerabilities, attackers are leveraging known weaknesses in Magento systems. The threat actor made their presence known in the wild in late May 2024, taking advantage of vulnerabilities such as CVE-2024-34102 and CVE-2024-20720. Browser fingerprinting, a technique commonly employed by legitimate websites for tracking and marketing objectives, is being weaponized by cybercriminals to mimic genuine user actions, evade security protocols, and execute fraudulent schemes.
This series of incidents underlines the persistent cybersecurity vulnerabilities plaguing platforms like WordPress and Magento. As business owners navigate this challenging landscape, understanding the tactics outlined in the MITRE ATT&CK framework can provide insight into potential adversary methodologies, such as initial access strategies, persistence mechanisms, and privilege escalation techniques.
In light of these developments, staying informed and adopting robust security measures is imperative for safeguarding digital assets against increasingly sophisticated cyber threats. Continued vigilance in monitoring systems and ensuring adherence to security best practices remains critical in mitigating risks and maintaining integrity in online operations.
