The email campaign, identified by researchers at both Wordfence and Patchstack, impersonates WordPress and warns users of a vulnerability, CVE-2023-45124, urging them to click on a link to download a plugin that will fix the flaw.
Attackers can use the backdoor to conduct malicious activity, such as injecting advertisements into the site, redirecting users to a malicious site, or stealing billing info, according to Patchstack.
They also can leverage it for distributed denial of service attacks, or can blackmail site owners by making a copy of the site's database and then holding it hostage for a cryptocurrency payment.
The good news is that so far, it does not appear as if any targets have been infected by the campaign, which requires user action to be successful, the researchers noted.
With hundreds of millions of websites built on WordPress, the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns via plugins that install malware or phishing campaigns that target WordPress users - or, in this case, both.
Attackers also tend to quickly pounce on flaws that are discovered in WordPress, a risk of which the current campaign takes full advantage by luring users with the threat of a potentially exploitable vulnerability.
Zip, the attacker-controlled site, according to Patchstack.
These variables could change depending on the whim of attackers, the researchers warned.
Wordfence plans to release a future post taking a deeper dive into the plugin and backdoor.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 05 Dec 2023 16:15:19 +0000