Nearly 2000 WordPress Websites Infected with a Keylogger

Swati Khandelwal em 29/01/2018

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.

Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.

Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.

Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.

Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.

The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.

The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.

The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).

Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.

The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.

Researchers said it's likely that the majority of the websites have not been indexed yet.

"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.

If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.

Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.

Do WordPress para o Ghost

Por Reinaldo Silloto em 16/01/2018 no site iMasters

Não tem como negar que o WordPress ainda é um dos melhores gerenciadores de conteúdo da Web, mas existem alternativas e muitas delas são excelentes e até superam o WordPress em algumas comparações simples.

Um destes casos de superação do mestre é o Ghost, um sistema para criação de blogs e sites que surgiu de uma campanha bem sucedida no Kickstarter e que tem em seu DNA o que existe de melhor em serviços como o Medium.

O que mais gosto no Ghost é a sua simplicidade. O principal, e talvez o único recurso da plataforma é disponibilizar as melhores ferramentas possíveis para criação e edição de artigos.

Não existem milhares de plugins, não existem milhares de temas, não existem milhares de desenvolvedores, como no WordPress, mas tudo que você precisa para criar conteúdo, você encontra no Ghost.

Por que o Ghost?

Nos últimos meses comecei a estudar a migração do TekZoom para uma nova plataforma, mais focada no conteúdo e menos preocupada em recursos extras e pesados.

Já conhecia o Ghost desde 2013, quando instalei pela primeira vez apenas por curiosidade.

Naquela época não fiquei impressionado, muito pelo contrário, mas no final do ano passado resolvi revisitar a aplicação e dar mais uma chance. Que surpresa! Em sua versão 1.20.0 tudo mudou, mas sem esquecer a simplicidade e facilidade de uso que sempre fez parte do core do projeto.

Em apenas algumas horas, consegui subir um servidor Node.js/NGINX com o Ghost rodando liso. O próximo passo foi conhecer e estudar mais sobre o HandlebarsJS e criar o meu primeiro tema.

Vocês entenderam agora o motivo da minha quebra de paradigma e mudança do WordPress para o Ghost? O que eu levaria semanas para fazer, consegui resolver em poucos dias.

Claro que nem tudo é perfeito. A migração do conteúdo não foi simples e tive que utilizar um pequeno script próprio para subir todos os artigos do site antigo e, mesmo assim, tive que corrigir algumas coisas manualmente.

Este trabalho está sendo finalizado e acredito que na próxima semana o novo TekZoom esteja publicado e pronto para uma nova fase.

Mas não tenho como negar que trabalhar com uma solução tão leve e limpa está sendo incrível. Nunca pensei que trabalharia com Markdown em projetos próprios, mas aconteceu e estou amando.

Quando trocar de plataforma?

A resposta para essa pergunta depende muito do seu projeto e de como você quer atualizar o seu conteúdo. Se você precisa criar uma Loja Online ou uma aplicação dinâmica, o WordPress continua sendo uma das melhores opções.

Agora, se o seu negócio é produzir conteúdo, o Ghost chegou para ficar.

More than 5,000 WordPress websites plagued with Keylogger

By Waqas on December 7, 2017 no site HackRead

WordPress is one of the most used platforms in the world with more than 75 million websites using its content management system (CMS), and that is good enough reason for hackers to target WordPress-based websites.

Old Malware New Capabilities

Recently, researchers at website security platform Sucuri discovered that 5,500 WordPress websites are infected with malware that was initially identified in April this year as Cloudflare.solutions. At that time, the malware had cryptomining capabilities, but now, it is equipped with keyloggers.

The malware works in such a way that it exploits functions.php file used by WordPress themes. It queues Cloudflare[.]solutions scripts and uses a fake CloudFlare domain in the URLs who loads a copy of a legitimate ReconnectingWebSocket library.

What Has Changed Since April

Previously when researchers identified the fake domain; its homepage displayed the message “This Server is part of Cloudflare Distribution Network, ” but the new message claims “This server is part of an experimental science machine learning algorithms project.”

Another change identified by researchers is the cors.js script. Upon decoding, there is no outright suspicious code like those banner images in the previous version. However, the script loads Yandex.Metrika, Yandex’s alternative to Google Analytics.

Furthermore, Sucuri researchers found two fake CloudFlare domains, one of which contains long hexadecimal parameters. These domains might look legitimate, but one of those domains does not exist while the other one (cdnjs.cloudflare.com) delivers payloads that are hexadecimal numbers after the question mark in the URLs. Moreover, the script according to researchers decodes and injects the result into web pages making it a keylogger.

(Image Credit: Sucuri)

This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field, wrote Sucuri’s malware researcher Denis Sinegubko.

What Does This Keylogger Do

The keylogger is designed to steal login credentials from WordPress sites while its prime target is e-commerce platforms to steal customers banking and card payment details. In case the platform requires users to log in with their social media details, personal email address or any other sensitive and useful data, the keylogger will also steal and send them to the attackers. 

Websocket traffic on an infected login page (Image Credit: Sucuri)

The Cloudflare.solutions malware also injects websites with CoinHive cryptocurrency miner scripts that uses visitor’s CPU power to mine Monero digital coins. 

What WordPress Site Owners Should Do

Since the malicious code for this malware exists in the function.php file of the WordPress theme, users are advised by Suciri to “remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.” 

It is highly advised that WordPress site owners should check if their site is infected with Cloudflare.solutions malware and change all login credentials including username and password. In case you are looking for tips on how to secure your WordPress site from ongoing threats follow this link.